A beforehand undocumented cross-platform malware codenamed Noodle RAT has been put to make use of by Chinese language-speaking risk actors both for espionage or cybercrime for years.
Whereas this backdoor was beforehand categorized as a variant of Gh0st RAT and Rekoobe, Pattern Micro safety researcher Hara Hiroaki stated “this backdoor is not merely a variant of existing malware, but is a new type altogether.”
Noodle RAT, which additionally goes by the monikers ANGRYREBEL and Nood RAT, is available in each Home windows and Linux flavors, and is believed to have been put to make use of since at the least July 2016.
The distant entry tran Gh0st RAT first surfaced in 2008 when a China risk group referred to as the C. Rufus Safety Group made its supply code publicly out there.
Through the years, the malware – alongside different instruments like PlugX and ShadowPad – has turn into an indicator of Chinese language authorities hackers, who’ve used it in quite a few campaigns and assaults.
The Home windows model of Noodle RAT, an in-memory modular backdoor, has been put to make use of by hacking crews like Iron Tiger and Calypso. Launched by way of a loader on account of its shellcode foundations, it helps instructions to obtain/add recordsdata, run extra forms of malware, perform as a TCP proxy, and even delete itself.
At the least two several types of loaders, viz. MULTIDROP and MICROLOAD, have been noticed so far in assaults geared toward Thailand and India, respectively.
Noodle RAT’s Linux counterpart, alternatively, has been utilized by totally different cybercrime and espionage clusters linked to China, together with Rocke and Cloud Snooper.
It is outfitted to launch a reverse shell, obtain/add recordsdata, schedule execution, and provoke SOCKS tunneling, with the assaults leveraging recognized safety flaws in public-facing purposes to breach Linux servers and drop an online shell for distant entry and malware supply.
Regardless of the variations within the backdoor instructions, each variations are stated to share an identical code for command-and-control (C2) communications and use comparable configuration codecs.
Additional evaluation of Noodle RAT artifacts exhibits that whereas the malware reuses varied plugins utilized by Gh0st RAT and a few components of the Linux model share code overlaps with Rekoobe, the backdoor in itself is solely new.
Pattern Micro stated it was additionally in a position to achieve entry to a management panel and builder used for Noodle RAT’s Linux variant with launch notes written in Simplified Chinese language containing particulars about bug fixes and enhancements, indicating that it is probably developed, maintained, and offered to prospects of curiosity.
This speculation can be bolstered by the I-Quickly leaks earlier this yr, which highlighted an unlimited company hack-for-hire scene working out of China and the operational and organizational ties between non-public sector corporations and Chinese language state-sponsored cyber actors.
Such instruments are believed to be the results of a fancy provide chain inside China’s cyber espionage ecosystem, the place they’re offered and distributed on a business foundation throughout the non-public sector and authorities entities engaged in malicious state-sponsored actions.
“Noodle RAT is likely shared (or for sale) among Chinese-speaking groups,” Hiroaki stated. “Noodle RAT has been misclassified and underrated for years.”
The event comes because the China-linked Mustang Panda (aka Fireant) has been linked to a spear-phishing marketing campaign focusing on Vietnamese entities utilizing tax- and education-themed lures to ship Home windows Shortcut (LNK) recordsdata which might be designed to probably deploy the PlugX malware.
