New Multi-Platform Malware ‘Noodle RAT’ Targets Windows and Linux Operating Systems
An undocumented multi-platform malware known as Noodle RAT has been utilized by Chinese-speaking threat groups for espionage or cybercriminal activities over an extended period.
Originally mistaken for a variant of Gh0st RAT and Rekoobe, a Trend Micro security analyst named Hara Hiroaki stated that “this backdoor represents a completely new form of malware rather than just a variation of existing threats.”
Referred to as ANGRYREBEL and Nood RAT as well, Noodle RAT is available for both Windows and Linux systems, with indications of its presence dating back to July 2016.
The first appearance of the remote access tool Gh0st RAT was noted in 2008 when the C. Rufus Security Team, a Chinese threat group, publicly released its source code.
Over time, this malware, together with other tools like PlugX and ShadowPad, has become closely associated with Chinese state-sponsored hackers, who incorporated it into numerous offensive campaigns.
The Windows iteration of Noodle RAT, a modular backdoor that operates in-memory, has been utilized by hacking groups like Iron Tiger and Calypso. It launches through a loader due to its foundation in shellcode, supporting functions such as file download/upload, execution of other malware types, acting as a TCP proxy, and self-deletion.
At least two distinct loader types, namely MULTIDROP and MICROLOAD, have been identified in attacks targeting Thailand and India, respectively.
On the other hand, the Linux version of Noodle RAT has been adopted by various cybercrime and espionage factions with ties to China, including groups like Rocke and Cloud Snooper.
Capable of initializing a reverse shell, managing file transfer operations, scheduling tasks, and enabling SOCKS tunneling, the attacks leverage known vulnerabilities in public-facing applications to breach Linux servers and implant a web shell for remote access and malware dissemination.
Despite variation in the backdoor functionalities, both versions are reported to use the same code structure for command-and-control (C2) communications and share comparable configuration setups.
An in-depth examination of Noodle RAT artifacts reveals that although the malware incorporates plugins from Gh0st RAT and bears similarities with Rekoobe in some areas, the backdoor itself is entirely distinct.
Trend Micro also managed to access a control panel and builder for Noodle RAT’s Linux edition, featuring enhancement descriptions written in Simplified Chinese, indicating ongoing development, maintenance, and potential sale to specific clients.
This insight is reinforced by the I-Soon disclosures earlier this year, shedding light on a substantial corporate cyber offensive sector based in China and exposing the connections between private enterprises and state-aligned cyber groups.
These tools are believed to originate from a complex supply network within China’s cyber espionage ecosystem, where they are commercialized and distributed across private enterprises and government entities involved in malicious activities.
“Noodle RAT is likely shared among Chinese-speaking threat groups,” Hiroaki remarked. “Noodle RAT has been misidentified and underestimated for a considerable period.”
This development coincides with the association of China-linked Mustang Panda (also known as Fireant) with a targeted spear-phishing initiative against Vietnamese entities employing tax and education-themed bait to distribute Windows Shortcut (LNK) files intended to deploy the PlugX malware.
About Author
