Government Entity in Guyana Targeted in Operation Jacana Cyber Espionage Attack: In a recent cyber espionage campaign known as Operation Jacana, a governmental entity in Guyana became the target.
This sophisticated attack, uncovered by ESET in February 2023, involved a spear-phishing incident leading to the deployment of a previously undocumented implant named DinodasRAT.
Key Takeaways in Government Entity in Guyana Targeted in Operation Jacana Cyber Espionage Attack:
Table of Contents
- Operation Jacana: A cyber espionage campaign, Operation Jacana, was discovered when a governmental entity in Guyana fell victim to a spear-phishing attack in February 2023.
- DinodasRAT Implant: The attack deployed DinodasRAT, a C++ implant that has not been documented before. This implant is suspected to be associated with a China-linked threat group due to the use of the PlugX remote access trojan.
- Infection Sequence: The attack began with phishing emails containing links related to a supposed news report about a Guyanese fugitive in Vietnam. Clicking the link initiated the download of a ZIP archive file containing DinodasRAT.
Operation Jacana Unveiled
A governmental entity in Guyana found itself at the center of a cyber espionage operation known as Operation Jacana.
This campaign was brought to light when cybersecurity experts from ESET detected it in February 2023. The attackers employed a spear-phishing strategy to gain initial access to the victim organization.
DinodasRAT: The Mysterious Implant
A noteworthy aspect of this attack was the utilization of DinodasRAT, a previously undocumented implant crafted in C++.
While the attackers behind this campaign remain partially unidentified, there is medium-confidence attribution to a China-associated adversary.
This attribution is based on the use of PlugX, a well-known remote access trojan frequently associated with Chinese hacking groups.
Targeted Spear Phishing
ESET’s report revealed that this cyber-espionage campaign was meticulously targeted. The threat actors tailored their phishing emails to be enticing to the chosen victim organization.
Once they successfully compromised a limited set of machines with DinodasRAT, they proceeded to infiltrate the target’s internal network, where they once again deployed this backdoor.
Phishing Email Infection
The attack began with spear-phishing emails that contained deceptive links. These emails featured subject lines referring to a supposed news report regarding a Guyanese fugitive in Vietnam.
If a recipient clicked on the link, it initiated the download of a ZIP archive file from the domain fta.moit.gov[.]vn. This domain had been compromised and was used to host the malicious payload.
DinodasRAT Capabilities
DinodasRAT, once executed, encrypted the data it sent to the command-and-control (C2) server using the Tiny Encryption Algorithm (TEA).
This implant possessed several capabilities, including the exfiltration of system metadata and files, manipulation of Windows registry keys, and execution of commands on the compromised system.
Tools for Lateral Movement
In addition to DinodasRAT, the attackers deployed tools for lateral movement within the victim’s network.
One of these tools was Korplug, a traditional backdoor, and another was the SoftEther VPN client, which has been previously associated with China-affiliated cyber clusters, such as Flax Typhoon tracked by Microsoft.
Geopolitical Awareness of Attackers
The attackers displayed a high level of awareness regarding geopolitical activities. They tailored their spear-phishing emails to align with current events, enhancing the likelihood of their attack’s success.
Conclusion
Operation Jacana sheds light on the evolving landscape of cyber espionage. The targeted and sophisticated nature of this attack, along with the utilization of previously unknown tools like DinodasRAT, highlights the importance of robust cybersecurity measures in an increasingly digital world.
Organizations must remain vigilant and proactive in defending against such threats.
About ESET: ESET is a renowned cybersecurity firm with expertise in detecting and mitigating advanced cyber threats. Their timely discovery of Operation Jacana underscores their commitment to enhancing digital security.
