'Operation Jacana' Reveals DinodasRAT Custom Backdoor

The previously undocumented data exfiltration malware was part of a successful cyber-espionage campaign against the Guyanese government, likely by the Chinese.

A brown bird with black neck and red face, Wattled Jacana (Jacana jacana) walking on giant water lily leaf, Rupununi, Guyana
Source: Malcolm Schuyl via Alamy Stock Photo

A fresh malware threat dubbed "DinodasRAT" has been uncovered, after being used in a targeted cyber-espionage campaign against a governmental entity in Guyana.

The campaign, which ESET calls "Operation Jacana" after water birds that are native to the South American country, could be linked to (unnamed) Chinese state-sponsored cyberattackers, researchers noted.

The campaign started with targeted spear-phishing emails that referenced recent Guyanese public and political affairs. Once in, the attackers moved laterally throughout the internal network; DinodasRAT was then used to exfiltrate files, manipulate Windows registry keys, and execute commands, according to ESET's Thursday analysis of the Jacana operation.

The malware got its name based on the use of "Din" at the beginning of each of the victim identifiers it sends to the attackers, and that string's similarity to the name of the diminutive hobbit Dinodas Brandybuck from The Lord of the Rings. Perhaps related: DinodasRAT uses the Tiny encryption algorithm to lock away its communications and exfiltration activities from prying eyes.

The Work of a Chinese APT?

ESET attributes the campaign and the custom RAT to a Chinese advanced persistent threat (APT) with medium confidence, based in particular on the attack's use of the Korplug RAT (aka PlugX) — a favorite tool of China-aligned cyberthreat groups like Mustang Panda.

The attack could be in retaliation for recent hiccups in Guyana–China diplomatic relations, according to ESET, such as Guyana's arrest of three people in a money-laundering investigation involving Chinese companies. Those allegations were disputed by the local Chinese embassy.

Interestingly, one lure mentioned a "Guyanese fugitive in Vietnam," and served malware from a legitimate domain ending with gov.vn.

"This domain indicates a Vietnamese governmental website; thus, we believe that the operators were able to compromise a Vietnamese governmental entity and use its infrastructure to host malware samples," said ESET researcher Fernando Tavella in the report — again suggesting that the activity is the work of a more sophisticated player.

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights