A governmental entity in Guyana has been targeted as part of a cyber espionage campaign dubbed Operation Jacana.
The activity, which was detected by ESET in February 2023, entailed a spear-phishing attack that led to the deployment of a hitherto undocumented implant written in C++ called DinodasRAT.
The Slovak cybersecurity firm said it could link the intrusion to a known threat actor or group, but attributed with medium confidence to a China-nexus adversary owing to the use of PlugX (aka Korplug), a remote access trojan common to Chinese hacking crews.
The infection sequence commenced with a phishing email containing a booby-trapped link with subject lines referencing an alleged news report about a Guyanese fugitive in Vietnam.
Should a recipient click on the link, a ZIP archive file is downloaded from the domain fta.moit.gov[.]vn, indicating a compromise of a Vietnamese governmental website to host the payload.
Also deployed are tools for lateral movement, Korplug, and the SoftEther VPN client, the latter of which has been put to use by another China-affiliated cluster tracked by Microsoft as Flax Typhoon.
“The attackers used a combination of previously unknown tools, such as DinodasRAT, and more traditional backdoors such as Korplug,” ESET researcher Fernando Tavella said.
“Based on the spear-phishing emails used to gain initial access to the victim’s network, the operators are keeping track of the geopolitical activities of their victims to increase the likelihood of their operation’s success.”
Source: https://thehackernews.com/