Security researchers have observed Red Hat and Ubuntu systems being attacked by a Linux version of the DinodasRAT (also known as XDealer) that may have been operating since 2022.
The Linux variant of the malware has not been described publicly, although the first version has been tracked to 2021.
Cybersecurity company ESET has previously seen DinodasRAT compromising Windows systems in an espionage campaign dubbed ‘Operation Jacana,’ that targeted government entities.
Earlier this month, Trend Micro reported about a Chinese APT group they track as ‘Earth Krahang,’ which used XDealer to breach both Windows and Linux systems of governments worldwide.
In a report earlier this week, researchers at Kaspersky say that when executed, the Linux variant of DinodasRAT creates a hidden file in the directory where its binary resides, which acts as a mutex to prevent multiple instances from running on the infected device.
Next, the malware sets persistence on the computer using SystemV or SystemD startup scripts. To complicate detection, the malware then executes once more while the parent process waits.
