Guyana Governmental Entity Hit by DinodasRAT in Cyber Espionage Attack

A governmental organization in Guyana has found itself at the center of a cyber espionage operation known as Operation Jacana. The campaign, first identified by ESET in February 2023, involved a spear-phishing attack that ultimately resulted in the deployment of a previously undocumented implant written in C++ called DinodasRAT.

ESET, the Slovak cybersecurity firm, acknowledged that while it couldn’t definitively attribute the intrusion to a specific threat actor or group, it had medium confidence in its connection to a China-linked adversary. This attribution was based on the usage of PlugX (also known as Korplug), a remote access trojan commonly associated with Chinese hacking groups.

The Operation Jacana campaign was highly targeted, with threat actors customizing their phishing emails to entice the selected victim organization. Once an initial set of machines was successfully compromised with DinodasRAT, the attackers progressed further into the target’s internal network, deploying the same backdoor again.

The attack began with a phishing email containing a malicious link, with subject lines referencing a supposed news report about a Guyanese fugitive in Vietnam. If a recipient clicked on the link, a ZIP archive file was downloaded from the domain[.]vn, indicating a compromise of a Vietnamese governmental website used to host the payload.

Within this ZIP archive was an executable file that initiated the DinodasRAT malware, which then proceeded to collect sensitive information from the victim’s computer. DinodasRAT took extra precautions by encrypting the data sent to the command-and-control server using the Tiny Encryption Algorithm (TEA). It had various capabilities, including exfiltrating system metadata, files, manipulating Windows registry keys, and executing commands.

In addition to DinodasRAT, the attackers utilized tools for lateral movement, such as Korplug, and the SoftEther VPN client, which had also been employed by another China-affiliated cluster tracked by Microsoft as Flax Typhoon.

ESET researcher Fernando Tavella noted, “The attackers used a combination of previously unknown tools, such as DinodasRAT, and more traditional backdoors such as Korplug. Based on the spear-phishing emails used to gain initial access to the victim’s network, the operators are keeping track of the geopolitical activities of their victims to increase the likelihood of their operation’s success.”

This operation highlights the continued sophistication and adaptability of threat actors in pursuing cyber espionage objectives.

Megafea Editors