Threat Research

Analysis of DinodasRAT Linux implant

SecureList

Kaspersky analyzed a Linux variant (V10) of DinodasRAT and documented its infection flow, persistence mechanisms, C2 protocol, command set, encryption, and overlapping infrastructure with Windows samples. Key technical artifacts include hard-coded C2 domains (e.g., update.centos-yum[.]com), specific file artifacts, and sample hashes. #DinodasRAT #update.centos-yum.com

Keypoints

  • DinodasRAT has a Linux implant (V10) that targets Red Hat-based and Ubuntu systems and was likely active since 2022.
  • Initial execution creates a hidden mutex file in the same directory (format: “.[executable_name].mu”) and daemonizes, then re-executes with PPID to evade detection.
  • Persistence is achieved by installing SystemV or Systemd startup scripts depending on the distro (/etc/init.d, /etc/rc.d/rc.local or SystemD service registration).
  • The implant generates a machine UID from infection date, MD5(dmidecode output), a random number, and backdoor version, stored in /etc/.netc.conf and protected by modifying file access times.
  • C2 communication uses hard-coded domains and TCP/UDP transport with a bespoke packet structure and a wide set of remote commands (file transfer, remote shell, service/process control, uninstall).
  • Network and data encryption reuse libqq’s qq_crypt (TEA in CBC mode) with keys shared with the Windows version to cipher C2 traffic and stored data.
  • Infrastructure overlaps with Windows samples: domains like update.centos-yum[.]com and update.microsoft-settings[.]com resolve to 199.231.211[.]19.

MITRE Techniques

  • [T1547.001] Boot or Logon Autostart Execution – Installs init scripts for SystemV or SystemD to launch on startup (‘establishing persistence on the infected system by utilizing SystemV or SystemD startup scripts’).
  • [T1036] Masquerading – Creates hidden files and a mutex with a dot-prefixed name to evade discovery (‘creates a hidden file in the same directory as the executable, following the format “.[executable_name].mu”’).
  • [T1059.004] Command and Scripting Interpreter: Unix Shell – Executes shell commands and uses shell-based operations for persistence and control (‘It first executes without any arguments, which makes it run in the background by calling the “daemon” function’ and uses shell commands like touch -d to modify timestamps).
  • [T1082] System Information Discovery – Collects hardware/system info and computes MD5(dmidecode output) for UID generation (‘MD5 hash of the dmidecode command output’).
  • [T1106] Native API – Uses native Linux APIs/functions to create files and manipulate file metadata (described by file creation and stat/timestamp manipulation with touch -d) (‘ensures that any access to this file or to itself … does not update the “access” time … by using the “touch” command with the “-d” parameter’).
  • [T1071.001] Application Layer Protocol: Web Protocols – Communicates with C2 over TCP or UDP with a custom packet structure (‘It communicates over TCP or UDP. The C2 domain is hard-coded into the binary’).
  • [T1573.001] Encrypted Channel: Symmetric Cryptography – Uses libqq qq_crypt (TEA in CBC mode) to encrypt C2 communications and data (‘uses Pidgin’s libqq qq_crypt library functions… TEA in CBC mode’).
  • [T1485] Data Destruction – Can uninstall itself and remove artifacts from the host when commanded (‘Uninstall the implant and delete any artifacts from the system.’).

Indicators of Compromise

  • [File hash] Host artifacts – 8138f1af1dc51cde924aa2360f12d650, decd6b94792a22119e1b5a1ed99e8961
  • [Domain] Hard-coded C2 domains – update.centos-yum[.]com, update.microsoft-settings[.]com
  • [IP] C2 resolution – 199.231.211[.]19 (resolves for both update.centos-yum[.]com and update.microsoft-settings[.]com)
  • [File path / name] Local persistence/config – /etc/.netc.conf (profile file), hidden mutex like .[executable_name].mu

DinodasRAT Linux implant technical procedure (concise):

The implant launches by creating a hidden mutex file named .[executable_name].mu and daemonizing when executed without arguments; it then spawns a child process by re-executing itself with the parent PID as an argument to verify execution and complicate detection. For persistence the binary detects the init system (SystemD vs SysV via /proc/version and presence of chkconfig) and installs a suitable startup entry—either a SystemD service or SysV scripts (/etc/init.d or appended to /etc/rc.d/rc.local) that run after network setup.

Before contacting C2, DinodasRAT generates a unique UID composed of the infection date, MD5(dmidecode output), a random number, and the backdoor version, saving profile data in /etc/.netc.conf; it deliberately preserves file access timestamps by invoking touch -d to avoid updating atime. Network communication uses hard-coded C2 domains and TCP/UDP with a custom packet format; commands supported include directory listing, file upload/download, remote shell, process/service enumeration and control, proxying, updating the implant, and full uninstall. Communications and stored data are encrypted using libqq’s qq_crypt (TEA in CBC), sharing keys with Windows variants, and infrastructure overlaps show domains like update.centos-yum[.]com resolving to 199.231.211[.]19.

Read more: https://securelist.com/dinodasrat-linux-implant/112284/