Noodle RAT
A new cross-platform malware named the Noodle RAT, previously unknown to security experts, has been utilized by Chinese-speaking threat actors for espionage and cybercrime purposes over the past few years. Initially thought to be a variant of the Gh0st RAT and Rekoobe, researchers now confirm that the Noodle RAT isn't just a modification of existing malware but an entirely new threat. It operates under aliases like ANGRYREBEL and Nood RAT and is compatible with both Windows and Linux systems. This malware strain is suspected to have been active since at least July 2016.
Table of Contents
Attackers Deploy the Noodle RAT Variants Based on Victims’ Systems
The Windows edition ofthe Noodle RAT, a modular backdoor that operates in-memory, has been utilized by hacker groups such as Iron Tiger and Calypso. It's activated through a loader because of its shellcode-based structure. This malware is capable of executing various commands like downloading/uploading files, running other malware strains, acting as a TCP proxy, and self-deleting. Two distinct loader types, namely MULTIDROP and MICROLOAD, have been identified in attacks targeting Thailand and India, respectively.
On the flip side, the Linux version of the Noodle RAT has been employed by various cybercrime and espionage groups associated with China, such as Rocke and Cloud Snooper. This variant is capable of initiating a reverse shell, manage file transfers, schedule tasks, and set up a SOCKS tunneling. These attacks exploit known vulnerabilities in publicly accessible applications to infiltrate Linux servers, deploying a Web shell for remote access and malware delivery.
Similarities Between the Noodle RAT Versions
Despite differences in backdoor commands, both versions of the Noodle RAT reportedly share identical Command-and-Control (C2) communications code and use similar configuration formats. Further examination of Noodle RAT artifacts reveals that while the malware incorporates various plugins used by Gh0st RAT, and some segments of the Linux version share code similarities with Rekoobe, the backdoor itself is entirely new.
Researchers have also gained access to a control panel and builder used for the Linux variant of the Noodle RAT. Release notes written in Simplified Chinese detail bug fixes and improvements, suggesting it's likely developed, maintained, and sold to specific customers.
This assessment is reinforced by leaks from early 2024, shedding light on a substantial corporate hack-for-hire ecosystem operating from China. These leaks underscore the operational and organizational connections between private sector entities and Chinese state-sponsored cyber actors.
The Noodle RAT may be Exploited by Multiple Chinese Cybercrime Groups
The threatening tools are thought to stem from a sophisticated supply chain within China's cyber espionage network, where they are commercially sold and distributed to both the private sector and government entities involved in malicious state-sponsored operations. The Noodle RAT is likely circulated or sold among Chinese-speaking groups. After all, it has been misclassified and underestimated for an extended period.
