A wild RAT appears: reversing DinodasRAT on Linux - Anderson Leite

Presented at the VB2024 conference in Dublin, 2 - 4 October 2024. ↓ Slides: https://www.virusbulletin.com/uploads/pdf/conference/vb2024/slides/Slides-A-wild-RAT-appears-reversing-DinodasRAT-on-Linux.pdf ↓ Paper: https://www.virusbulletin.com/uploads/pdf/conference/vb2024/papers/A-wild-RAT-appears-reversing-DinodasRAT-on-Linux.pdf → Details: https://www.virusbulletin.com/conference/vb2024/abstracts/wild-rat-appears-reversing-dinodasrat-linux/ ✪ PRESENTED BY ✪ • Anderson Leite (Kaspersky) ✪ ABSTRACT ✪ The age-old notion that “Linux doesn't have viruses” is no longer applicable. In today's world, Linux faces numerous advanced threats and malware, making it a prime target. DinodasRAT is no exception. Initially detected as XDealer in 2021 as part of the LuoYu APT group campaign, it silently operated for at least two years without detection or decent coverage from the anti-malware industry, while being used in political interests as a cyberespionage tool. While much attention has been given to the Windows version of this threat recently, the Linux variant has spread under the radar. This presentation aims to dive deep into every aspect of this uncommon RAT within the Linux environment. We’ll explore the internals of this malware using reverse engineering and automation, and also dissect the entire malware network protocol to create an emulated C2 environment that assists debugging. To successfully analyse a binary within the Linux environment, one must understand its internal workings and be able to identify functions that could be exploited, including hiding from debugging and filesystem manipulation. These aspects will also be covered in this presentation to provide the audience with a concrete understanding of Linux malware security research. The topics covered will include: • General behaviour of DinodasRAT • Persistence mechanisms • Monitoring and hiding capabilities • In-depth analysis of the network protocol • Emulated C2 following the entire “malware specification” to gain control over it