Access Point Instructions
Throughout our examination, we unearthed varying kinds of Win.NOODLERAT that execute different command categorizations. Through one of the commands received post-successful validation by the C&C server, we segregated them into two groups: Type 0x03A2 and Type 0x132A. The backdoor functionality is executed employing a blend of main-ID and non-obligatory sub-ID. Provided below is Table 1 detailing the backdoor commands:
Â
| Activities |
Type 0x03A2 |
Type 0x132A |
||
|
Main-ID |
Sub-ID |
Main-ID |
Sub-ID |
|
|
Authorized successfully |
0x03A2 |
– |
0x132A |
– |
|
End of command message |
0x0AC3 |
– |
0x1AC3 |
– |
|
Initialize metadata module |
0x194C |
– |
0x294C |
– |
|
Retrieve module information |
0x1AF2 |
– |
0x2AC8 |
– |
|
Initiate module without pipe |
0x1397 |
– |
0x230E |
– |
|
Remove module metadata |
0x1D50 |
– |
0x2D06 |
– |
|
Transfer file to C&C server |
0x390A |
0x35C3 & 0x35C4 & 0x3013 |
0x590A |
0x55C3 & 0x55C4 & 0x5013 |
|
Enumerate directories recursively |
0x390A |
0x35C5 |
0x590A |
0x55C5 |
Table 1. Run-through of Win.NOODLERAT’s backdoor instructions
The first type, Type 0x03A2, encompasses the majority of commands except for the final one, self-deletion. This variant of Win.NOODLERAT was utilized by Iron Tiger and various unspecified clusters for surveillance purposes, hinting at a potential shared iteration of the software.
The second type, Type 0x132A, incorporates all functionalities. Specifically adopted by Calypso APT, this version of Win.NOODLERAT is perceived to be an exclusive release.
When comparing the command IDs, we noticed resemblances amidst some. For example, the command IDs for file uploading to the C&C server are 0x390A and 0x590A respectively; this parallelism might suggest versioning but lacks concrete evidence to support such a claim.
Linux.NOODLERAT
Linux.NOODLERAT is an ELF adaptation of Noodle RAT, albeit with a distinct blueprint. This backdoor has been harnessed by diverse factions for various motives, including Rocke (Iron Cybercrime Group) for fiscal gains
Cloud Snooper Campaign for espionage, and an unidentified group for espionage objectives. Given its distinct design, the backdoor capabilities of Linux.NOODLERAT also differ slightly:
- Remote shell
- Retrieve & Dispatch files
- Execution scheduling
- SOCKS tunneling
Initialization
Typically, Linux.NOODLERAT was deployed as an added payload of an exploit targeting public-facing applications. Post-deployment, the backdoor duplicates itself to /tmp/CCCCCCCC and engages in process name obfuscation by overwriting “argv.” It then decrypts the embedded config using RC4 with the hardcoded key, “r0st@#$.” The decrypted config is structured as depicted in the diagram below; Linux.NOODLERAT will connect to the designated C&C server based on the config.
About Author
