'Operation Jacana' Reveals DinodasRAT Custom Backdoor

A fresh malware threat dubbed "DinodasRAT" has been uncovered, after being used in a targeted cyber-espionage campaign against a governmental entity in Guyana.

The campaign, which ESET calls "Operation Jacana" after water birds that are native to the South American country, could be linked to (unnamed) Chinese state-sponsored cyberattackers, researchers noted.

The campaign started with targeted spear-phishing emails that referenced recent Guyanese public and political affairs. Once in, the attackers moved laterally throughout the internal network; DinodasRAT was then used to exfiltrate files, manipulate Windows registry keys, and execute commands, according to ESET's Thursday analysis of the Jacana operation.

The malware got its name based on the use of "Din" at the beginning of each of the victim identifiers it sends to the attackers, and that string's similarity to the name of the diminutive hobbit Dinodas Brandybuck from The Lord of the Rings. Perhaps related: DinodasRAT uses the Tiny encryption algorithm to lock away its communications and exfiltration activities from prying eyes.

The Work of a Chinese APT?

ESET attributes the campaign and the custom RAT to a Chinese advanced persistent threat (APT) with medium confidence, based in particular on the attack's use of the Korplug RAT (aka PlugX) — a favorite tool of China-aligned cyberthreat groups like Mustang Panda.

The attack could be in retaliation for recent hiccups in Guyana–China diplomatic relations, according to ESET, such as Guyana's arrest of three people in a money-laundering investigation involving Chinese companies. Those allegations were disputed by the local Chinese embassy.

Interestingly, one lure mentioned a "Guyanese fugitive in Vietnam," and served malware from a legitimate domain ending with gov.vn.

"This domain indicates a Vietnamese governmental website; thus, we believe that the operators were able to compromise a Vietnamese governmental entity and use its infrastructure to host malware samples," said ESET researcher Fernando Tavella in the report — again suggesting that the activity is the work of a more sophisticated player.