Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
China-Linked APT Uses New Backdoor for Espionage in Guyana
Attackers Use Previously Undocumented Backdoor as Well as Traditional Hacking ToolsThe government of a Caribbean nation was the target of a cyberespionage campaign that has indicators of Chinese origin. Cybersecurity firm Eset said attackers used a previously undocumented backdoor as well as traditional hacking tools to target an unidentified "governmental entity" in Guyana.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
Eset attributed the campaign to Chinese hackers with medium confidence. During the attack, the threat actors deployed a variant of Korplug - also known as PlugX, a remote access tool used by hackers suspected of having ties with Beijing (see: Threat Actor Targets Hong Kong With Korplug Backdoor).
Bolstering the company's attribution, it said in a Thursday blog post, are recent developments in Guyana, including the February 2023 arrest by Guyana authorities of three people on charges of money laundering for Chinese businesses. Eset called the cyberespionage campaign "Operation Jacana" and said it took place around the time of the arrests.
The country, located on the South American mainland, participates in China's international Belt and Road Initiative. The initiative is Chinese President Xi Jinping's long-standing bid to accrue international influence by funding infrastructure projects in underdeveloped countries. Guyanese President Mohamed Irfaan Ali traveled to China in July to meet with Xi. "China and Guyana should be good friends who trust and count on each other," China's Ministry of Foreign Affairs wrote of the encounter.
Operation Jacana used spear-phishing emails referencing Guyanese public affairs with subject lines "President Mohamed Irfaan Ali's Official Visit to Nassau, The Bahamas," and "Guyanese fugitive in Vietnam." The first subject coincided with a trip by Ali to the Bahamas for a Caribbean Community annual summit.
The phishing messages contained a link to a downloadable ZIP file containing the previously undocumented backdoor, which Eset christened "DinodasRAT." Eset chose the name because the victim identifier it sends to the command-and-control servers always begins with the string "Din." That reminded security researchers of the hobbit Dinodas from "The Lord of the Rings."
Among its functions, DinodasRAT takes screenshots of the victim machine every and gets the content of the clipboard every five minutes. It has an extensive command repertoire, enabling the attackers to manipulate files, execute commands, enumerate processes, manage services and even establish reverse shells. It sends information back to the command-and-control server after applying the Tiny Encryption Algorithm.
In addition to DinodasRAT, the attackers used Korplug and a SoftEther virtual private network client to further their intrusion.