A backdoor in Executable and Linkable Format (ELF) recordsdata utilized by Chinese language hackers has wrongly been recognized as a variant of present malware for years, Development Micro claimed in a brand new report.
In Noodle RAT: Reviewing the New Backdoor Utilized by Chinese language-Talking Teams, a weblog publish based mostly on a Botconf 2024 presentation, Development Micro Analysis launched Noodle RAT, a distant entry Trojan utilized by Chinese language-speaking teams engaged in both espionage or cybercrime.
A Longstanding But Misclassified Backdoor
Often known as ANGRYREBEL or Nood RAT, Noodle RAT has been energetic since at the very least 2018. Nevertheless, it was all the time thought-about a variant of an present malware pressure like Gh0st RAT or Rekoobe.
“As an example, NCC Group launched a report on a variant of Gh0st RAT utilized by Iron Tiger in 2018. Talos launched a report on an ELF backdoor utilized by Rocke (aka Iron Cybercrime Group) in 2018. Sophos launched a report on a Linux model of the Gh0st RAT variant used within the Cloud Snooper Marketing campaign in 2018. Optimistic Know-how Safety launched a report on Calypso RAT utilized by Calypso APT in 2019,” mentioned Development Micro.
Upon evaluation, the cybersecurity supplier’s risk intelligence workforce found that the ELF backdoor talked about in these experiences was truly a brand new malware pressure that they named Noodle RAT.
The researchers additionally claimed they discovered espionage campaigns utilizing Noodle RAT concentrating on Thailand, India, Japan, Malaysia, and Taiwan since 2020.
Why Noodle RAT is a New Malware Pressure
Noodle RAT is a comparatively easy backdoor deployed in two variations: a Home windows one referred to as Win.NOODLERAT and a Linux one referred to as Linux.NOODLERAT.
The Home windows model of Noodle RAT has a number of hyperlinks to Gh0st RAT, a malware pressure initially developed by the C. Rufus Safety Workforce in China, whose code leaked in 2008.
As an example, Win.NOODLERAT and Gh0st RAT use the identical plugins, and the previous implements a barely comparable packet encryption algorithm utilized by some variants of Gh0st RAT, corresponding to Gh0stCringe, HiddenGh0st, and Gh0stTimes.
Nevertheless, the remainder of Win.NOODLERAT and Gh0st RAT’s code doesn’t seem comparable, main Development Micro to conclude that the plugins had been merely reused, however the backdoor itself is completely totally different.
Moreover, a few of Linux.NOODLERAT’s code is identical as Rekoobe v2018, a backdoor based mostly on Tiny SHell (aka tsh), whose supply code is publicly out there on GitHub.
Particularly, each embrace the identical reverse shell and course of title spoofing strategies.
“Nonetheless, since the remainder of the code of Linux.NOODLERAT is completely totally different from any model of Rekoobe or Tiny SHell, we will conclude that Linux.NOODLERAT needs to be labeled as one other malware household,” Development Micro mentioned.
Present Use of Noodle RAT “Extremely Possible”
In its blog post, the risk intelligence workforce offered a technical evaluation of each Noodle RAT variations, Win.NOODLERAT and Linux.NOODLERAT, together with learn how to initialize them, how they convey with their command and management (C2) servers, learn how to management the backdoor as soon as put in, and an outline of the C2 server options.
“We have now confirmed that some samples of Noodle RAT had been uploaded in Virus Whole in 2024, which signifies that it’s extremely possible that the malware continues to be in use.
Contemplating the rise of exploitation in opposition to public-facing purposes lately, malware concentrating on Linux/Unix techniques is turning into extra important for attackers. It’d recommend that Noodle RAT might proceed to be a horny choice for risk actors for assaults,” the researchers concluded.
