A governmental entity in Guyana has been targeted as part of a cyber espionage campaign dubbed Operation Jacana.
The activity, which was detected by ESET in February 2023, entailed a spear-phishing attack that led to the deployment of a hitherto undocumented implant written in C++ called DinodasRAT.
The Slovak cybersecurity firm said it could link the intrusion to a known threat actor or group, but attributed with medium confidence to a China-nexus adversary owing to the use of PlugX (aka Korplug), a remote access trojan common to Chinese hacking crews.
"This campaign was targeted, as the threat actors crafted their emails specifically to entice their chosen victim organization," ESET said in a report shared with The Hacker News.
"After successfully compromising an initial but limited set of machines with DinodasRAT, the operators proceeded to move inside and breach the target's internal network, where they again deployed this backdoor."
The infection sequence commenced with a phishing email containing a booby-trapped link with subject lines referencing an alleged news report about a Guyanese fugitive in Vietnam.
Should a recipient click on the link, a ZIP archive file is downloaded from the domain fta.moit.gov[.]vn, indicating a compromise of a Vietnamese governmental website to host the payload.
Embedded within the ZIP archive is an executable that launches the DinodasRAT malware to collect sensitive information from a victim's computer.
DinodasRAT, besides encrypting the information it sends to the command-and-control (C2) server using the Tiny Encryption Algorithm (TEA), comes with capabilities to exfiltrate system metadata, files, manipulate Windows registry keys, and execute commands.
Also deployed are tools for lateral movement, Korplug, and the SoftEther VPN client, the latter of which has been put to use by another China-affiliated cluster tracked by Microsoft as Flax Typhoon.
"There is an ongoing trend among China-aligned threat actors to use non-commercial VPN networks in order to anonymize their network traffic," Matthieu Faou, malware researcher at ESET, told The Hacker News.
"Often, those VPN networks are running on compromised devices such as routers. As for SoftEther specifically, it can be used by threat actors to create their own VPN network or to proxy traffic from the local victim’s network to the attacker-controlled server."
"The attackers used a combination of previously unknown tools, such as DinodasRAT, and more traditional backdoors such as Korplug," ESET researcher Fernando Tavella said.
"Based on the spear-phishing emails used to gain initial access to the victim's network, the operators are keeping track of the geopolitical activities of their victims to increase the likelihood of their operation's success."
(The story has been updated with additional comments from ESET.)