Guyana Governmental Entity Hit by DinodasRAT in Cyber Espionage Attack

A governmental entity in Guyana has been targeted as part of a cyber espionage campaign dubbed Operation Jacana.

The activity, which was detected by ESET in February 2023, entailed a spear-phishing attack that led to the deployment of a hitherto undocumented implant written in C++ called DinodasRAT.

The Slovak cybersecurity firm said it could link the intrusion to a known threat actor or group, but attributed with medium confidence to a China-nexus adversary owing to the use of PlugX (aka Korplug), a remote access trojan common to Chinese hacking crews.

“This campaign was targeted, as the threat actors crafted their emails specifically to entice their chosen victim organization,” ESET said in a report shared with The Hacker News.

“After successfully compromising an initial but limited set of machines with DinodasRAT, the operators proceeded to move inside and breach the target’s internal network, where they again deployed this backdoor.”

The infection sequence commenced with a phishing email containing a booby-trapped link with subject lines referencing an alleged news report about a Guyanese fugitive in Vietnam.

Should a recipient click on the link, a ZIP archive file is downloaded from the domain fta.moit.gov[.]vn, indicating a compromise of a Vietnamese governmental website to host the payload.

Embedded within the ZIP archive is an executable that launches the DinodasRAT malware to collect sensitive information from a victim’s computer.

DinodasRAT, besides encrypting the information it sends to the command-and-control (C2) server using the Tiny Encryption Algorithm (TEA), comes with capabilities to exfiltrate system metadata, files, manipulate Windows registry keys, and execute commands.

Also deployed are tools for lateral movement, Korplug, and the SoftEther VPN client, the latter of which has been put to use by another China-affiliated cluster tracked by Microsoft as Flax Typhoon.

“The attackers used a combination of previously unknown tools, such as DinodasRAT, and more traditional backdoors such as Korplug,” ESET researcher Fernando Tavella said.

“Based on the spear-phishing emails used to gain initial access to the victim’s network, the operators are keeping track of the geopolitical activities of their victims to increase the likelihood of their operation’s success.”