Noodle RAT: Evaluation of the Recent Backdoor Utilized by Mandarin-Speaking Groups

Access Point Instructions

Throughout our examination, we unearthed varying kinds of Win.NOODLERAT that execute different command categorizations. Through one of the commands received post-successful validation by the C&C server, we segregated them into two groups: Type 0x03A2 and Type 0x132A. The backdoor functionality is executed employing a blend of main-ID and non-obligatory sub-ID. Provided below is Table 1 detailing the backdoor commands:
 

Table 1. Run-through of Win.NOODLERAT’s backdoor instructions

The first type, Type 0x03A2, encompasses the majority of commands except for the final one, self-deletion. This variant of Win.NOODLERAT was utilized by Iron Tiger and various unspecified clusters for surveillance purposes, hinting at a potential shared iteration of the software.

The second type, Type 0x132A, incorporates all functionalities. Specifically adopted by Calypso APT, this version of Win.NOODLERAT is perceived to be an exclusive release.

When comparing the command IDs, we noticed resemblances amidst some. For example, the command IDs for file uploading to the C&C server are 0x390A and 0x590A respectively; this parallelism might suggest versioning but lacks concrete evidence to support such a claim.

Linux.NOODLERAT

Linux.NOODLERAT is an ELF adaptation of Noodle RAT, albeit with a distinct blueprint. This backdoor has been harnessed by diverse factions for various motives, including Rocke (Iron Cybercrime Group) for fiscal gains

Cloud Snooper Campaign for espionage, and an unidentified group for espionage objectives. Given its distinct design, the backdoor capabilities of Linux.NOODLERAT also differ slightly:

• Remote shell
• Retrieve & Dispatch files
• Execution scheduling
• SOCKS tunneling

Initialization

Typically, Linux.NOODLERAT was deployed as an added payload of an exploit targeting public-facing applications. Post-deployment, the backdoor duplicates itself to /tmp/CCCCCCCC and engages in process name obfuscation by overwriting “argv.” It then decrypts the embedded config using RC4 with the hardcoded key, “r0st@#$.” The decrypted config is structured as depicted in the diagram below; Linux.NOODLERAT will connect to the designated C&C server based on the config.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts