According to Trend Micro’s recent analysis, a backdoor has been identified in ELF files. Chinese hackers have been using these ELF files, but the backdoor has been mistakenly classified as malware for years.

Trend Micro Research presented Noodle RAT in a blog post. Chinese-speaking groups use Noodle RAT for criminal activities or espionage as a remote access Trojan. The blog post, titled “Noodle RAT: Reviewing the New Backdoor Used by Chinese-Speaking Groups,” is based on a Botconf 2024 presentation.

Noodle RAT

Noodle RAT, also known as ANGRYREBEL or Nood RAT, is a relatively simple backdoor confirmed to have both Windows (Win.NOODLERAT) and Linux (Linux.NOODLERAT) versions. The following timeline details a brief history of this malware.

Despite its long history, Noodle RAT has not been properly classified until recently. Since 2018, multiple reports have been published about attacks involving Noodle RAT, but back then, this ELF backdoor was inadvertently identified as different malware families. For instance, NCC Group released a report on a variant of Gh0st RAT used by Iron Tiger in 2018. Talos released a report on an ELF backdoor used by Rocke (aka Iron Cybercrime Group) in 2018. Sophos released a report on a Linux version of the Gh0st RAT variant used in the Cloud Snooper Campaign in 2018. Positive Technology Security released a report on Calypso RAT used by Calypso APT in 2019. Upon analysis, we discovered that the ELF backdoor mentioned in these reports was actually Noodle RAT.

Additionally, our telemetry also found espionage campaigns using Noodle RAT targeting Thailand, India, Japan, Malaysia, and Taiwan since 2020. This brief history shows that Noodle RAT has been shared among multiple groups and used for both espionage and cybercrime.

Win.NOODLERAT

Win.NOODLERAT is a shellcode-formed in-memory modular backdoor, originally reported by NCC Group and Positive Technology Security. Based on other vendor’s reports and our observation, it seems like Win.NOODLERAT is used by Iron Tiger, Calypso APT, and several unknown clusters in espionage campaigns. The built-in backdoor capabilities are quite simple

  • Download and upload files
  • Run additional in-memory modules
  • Work as TCP proxy

Linux.NOODLERAT

Linux.NOODLERAT is an ELF version of Noodle RAT, but with a different design. This backdoor has been used by several groups with various motivations, such as Rocke (Iron Cybercrime Group) for financial gains

Cloud Snooper Campaign for espionage, and an unknown cluster also for spying purposes. Since it’s designed differently, its backdoor capabilities are also slightly different:

  • Reverse shell
  • Download & Upload files
  • Scheduling execution
  • SOCKS tunneling

Server Side of Noodle RAT

In the report of NCC Group in 2019, they disclosed the control panels of Win.NOODLERAT. One of them is named “Noodlesv1.0.0,” which might indicate that it’s for Win.NOODLERAT for v1.0.0. We also recently found a new version of the control panel and builder of Linux.NOODLERAT in VirusTotal.

Control Panel

The control panel that Trend Micro found was named “NoodLinux v1.0.1.” Like the previously found control panel, it requires a password to open. The password for the previous one is the current year and month (e.g., “202405”), but for this version, the password was hardcoded in the control panel. It could be opened with the password “hello!@#”.

Current Use of Noodle RAT “Highly Probable”

In its blog post, the threat intelligence team provided a technical analysis of both Noodle RAT versions, Win.NOODLERAT and Linux.NOODLERAT, including how to initialize them, how they communicate with their command and control (C2) servers, how to control the backdoor once installed, and a description of the C2 server features.

“We have confirmed that some samples of Noodle RAT were uploaded in Virus Total in 2024, which means that it is highly probable that the malware is still in use.

Considering the increase of exploitation against public-facing applications in recent years, malware targeting Linux/Unix systems is becoming more essential for attackers. It might suggest that Noodle RAT could continue to be an attractive option for threat actors for attacks,” the researchers concluded.

Found this article interesting? Follow us on LinkedIn and Instagram to read more exclusive content we post.

Leave a Reply

Your email address will not be published. Required fields are marked *