Cybersecurity experts have recently uncovered a new type of malware known as “Noodle RAT,” which has been utilized by Chinese-speaking hacker groups to target Linux servers. While this malware has been in existence since 2016, it is only now being properly classified, shedding light on its extensive use in espionage and cybercrime activities.
The Emergence of Noodle RAT
Noodle RAT, also referred to as ANGRYREBEL or Nood RAT, is a backdoor malware that comes in versions for both Windows (Win.NOODLERAT) and Linux (Linux.NOODLERAT). Despite being active for several years, it was often misidentified as variants of other malware such as Gh0st RAT or Rekoobe. However, recent investigations have confirmed that Noodle RAT is indeed a distinct malware family.
Timeline of Noodle RAT
The timeline of Noodle RAT’s development and deployment is as follows: In July 2016, the v1.0.0 version for Win.NOODLERAT was compiled. By December 2016, the v1.0.1 version for Linux.NOODLERAT was compiled, with an update being made in April 2017. Although there have been multiple reports of attacks involving Noodle RAT since 2018, it was often misclassified as other malware families.
Espionage Campaigns and Targets
Espionage campaigns utilizing Noodle RAT have been observed targeting countries such as Thailand, India, Japan, Malaysia, and Taiwan since 2020. These campaigns have highlighted the advanced and sophisticated nature of the malware, making it a potent tool for cybercriminals and state-sponsored hackers alike.
Technical Details of Noodle RAT
Win.NOODLERAT is a shellcode-formed, in-memory modular backdoor that has been used by groups like Iron Tiger and Calypso APT. Its capabilities include downloading and uploading files, running additional in-memory modules, and working as a TCP proxy. The malware uses loaders like MULTIDROP and MICROLOAD for installation and employs complex encryption algorithms for command and control communication.
On the other hand, Linux.NOODLERAT, an ELF version of Noodle RAT, has been utilized by groups such as Rocke (Iron Cybercrime Group) and the Cloud Snooper Campaign. Its capabilities include executing reverse shells, downloading and uploading files, scheduling execution, and performing SOCKS tunneling.
Backdoor Commands and Malware Families
Both Win.NOODLERAT and Linux.NOODLERAT implement various backdoor commands, allowing threat actors to execute malicious actions on compromised systems. While Noodle RAT shares some similarities with Gh0st RAT and Rekoobe, recent findings have revealed that it is distinct enough to be classified as a new malware family.
Control panels and builders for Noodle RAT have also been discovered, indicating a sophisticated malware ecosystem. The control panel for Linux.NOODLERAT, named “NoodLinux v1.0.1,” supports TCP and HTTP for command and control communication and requires a password for access. Builders for Linux.NOODLERAT assist in creating custom configurations for the malware, enhancing its capabilities and adaptability.
In conclusion, the proper identification and classification of Noodle RAT highlight the evolving landscape of cybersecurity threats, especially for Linux/Unix systems. As the exploitation of public-facing applications continues to rise, it is crucial for cybersecurity professionals to stay informed and vigilant against emerging threats like Noodle RAT. By being proactive and prepared, organizations can better protect themselves against malicious cyber activities and ensure the safety and security of their digital infrastructure.