Search This Blog

Powered by Blogger.

Blog Archive

Labels

Chinese Threat Actors Leveraging 'Noodle RAT' Backdoor

Noodle RAT, aka ANGRYREBEL or Nood RAT, has been active since at least 2018.

 

A backdoor in Executable and Linkable Format (ELF) files used by Chinese hackers has been misidentified as a version of existing malware for years, Trend Micro claimed in a recent analysis. 

In Noodle RAT: Reviewing the New Backdoor utilised by Chinese-Speaking Groups, a blog post based on a Botconf 2024 presentation, Trend Micro Research revealed Noodle RAT, a remote access Trojan employed by Chinese-speaking groups involved in espionage or criminal activity.

Noodle RAT, aka ANGRYREBEL or Nood RAT, has been active since at least 2018. However, it was always regarded as a variant of an existing malware strain, such as Gh0st RAT or Rekoobe.

“For instance, NCC Group released a report on a variant of Gh0st RAT used by Iron Tiger in 2018. Talos released a report on an ELF backdoor used by Rocke (aka Iron Cybercrime Group) in 2018. Sophos released a report on a Linux version of the Gh0st RAT variant used in the Cloud Snooper Campaign in 2018. Positive Technology Security released a report on Calypso RAT used by Calypso APT in 2019,” noted Trend Micro. 

The cybersecurity provider's threat intelligence team revealed that the ELF backdoor mentioned in these reports was actually a new malware strain known as Noodle RAT. 

Noodle RAT: New Malware Strain

Since 2020, the researchers claim to have discovered espionage campaigns employing Noodle RAT that targeted Thailand, India, Japan, Malaysia, and Taiwan. 

The Windows version of Noodle RAT contains several links to Gh0st RAT, a malware strain developed by the C. Rufus Security Team in China and exposed in 2008. For example, Win.NOODLERAT and Gh0st RAT share plugins, and the former employs a slightly similar packet encryption method to that employed by various Gh0st RAT variants, including Gh0stCringe, HiddenGh0st, and Gh0stTimes. 

However, the rest of Win.NOODLERAT and Gh0st RAT's code does not appear to be comparable, prompting Trend Micro to infer that the plugins were simply reused, despite the fact that the backdoor is completely different. 

Additionally, some Linux.NOODLERAT's code is identical to Rekoobe v2018, a backdoor built on Tiny SHell (or tsh) whose source code is freely available on GitHub. Specifically, both use the same reverse shell and process name spoofing techniques. 

“Still, since the rest of the code of Linux.NOODLERAT is totally different from any version of Rekoobe or Tiny SHell, we can conclude that Linux.NOODLERAT should be classified as another malware family,” Trend Micro concluded.
Share it:

Chinese Hacker

cyber espionage

malware

RAT

Threat Landscape