This month focuses on Dracula Phishing-as-a-Service (PaaS), the XZ backdoor discovered for Linux distros, and the Linux version of the DinodasRAT (also known as XDealer). Keep reading to stay up to date with the latest Intelligence updates from our Command Center.

Dracula Phishing-as-a-Service

Dracula, a new phishing-as-a-service has emerged with a level of sophistication unseen before, offering clients over 200 templates to choose from against a wide variation of services and organizations. 

Summary

• Darcula uses iMessage and RCS (Rich Communication Services) rather than SMS to send text messages
• Subscription fees for clients are around $250 per month.
• It so far has over 20,000 phishing domains templates that have been used in cyberattacks in over 100 countries.
• Dracula uses modern technologies such as Docker, Harbor, React and JavaScript in its development, allowing for easy software updates without input from the user.
• Dracula has over 200 hyper-realistic phishing templates of organizations and brands. This includes high-quality landing pages with the correct local language, logo and content.
• Read more about Dracula here

XZ Utils backdoor affecting Linux Distros

In late March, a Microsoft developer noticed a seemingly insignificant delay in an SSH connection on a Linux device that led to the discovery of a backdoor intentionally installed in the xz utils of Linux devices. 

Summary

• Xz utils is an open-source data compression utility available on almost all installations of Linux and other Unix-like operating systems.
• The backdoor was discovered during a troubleshooting session after a developer Andres Freund, noticed that SSH logins were consuming many CPU cycles and were generating errors.
• A confirmation was made when Freund noticed that unscheduled updates were being made to xz Utils.
• The updates added malicious code to xz Utils versions 5.6.0 and 5.6.1, modifying the way software functions by manipulating sshd, the executable file used to make remote SSH connections.
• Any code of choice could thus be stashed, uploaded and executed in an SSH login certificate by a threat actor with a predetermined encryption key.
• Find more information about the backdoor here

DinodasRAT malware targets Linux servers

Recently, the Linux variant of the malware DinodasRAT has been observed attacking targets in Africa, Southeast Asia and South America. Security researchers believe DinodasRAT is being managed by a Chinese-nexus cyber espionage threat actor called Earth Khrahang.  

Summary

• The first version of DinodasRAT was tracked to 2021;  a recent campaign dubbed ‘Operation Jacana’ has seen DinodaRAT being used to compromise Windows Systems.
• When executed, DinodasRAT creates a hidden file in the directory where its binary resides; this prevents multiple instances of malware from running on the same device. A term often described as a mutex.
• The malware then sets persistence by using SystemV or SystemD startup scripts. 
• After the infection phase is complete, the machine is tagged using infection, hardware, and system details and the report is sent to the command and control (c2) server via TCP or UDP to manage victim hosts. 
• The transfer of data is done using the Tiny Encryption Algorithm (TEA) in CBC mode, ensuring that the data exchanged is secure.
• DinodasRAT has an array of features including monitoring and harvesting of data, C2 command execution, Proxy C2 communications, and process and service manipulation on the infected system.

More information can be found about the malware here

Sources

• https://www.darkreading.com/endpoint-security/-darcula-phishing-as-a-service-operation-bleeds-victims-worldwide
• https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/
• https://research.checkpoint.com/2024/29676/
• https://www.bleepingcomputer.com/news/security/dinodasrat-malware-targets-linux-servers-in-espionage-campaign/