Noodle RAT: Researchers Identify Chinese Espionage Backdoor In-Use Since 2018

• Noodle RAT backdoor has been used for cyberespionage and financial cybercriminal campaigns for years.
• However, Trend Micro recently discovered that it has been misclassified as Gh0st RAT or Rekoobe since 2018.
• The company shared its research to set the record straight.

A backdoor previously thought to be a variant of other existing malware is now reported to have distinctive characteristics. According to Trend Micro researchers, Chinese-speaking threat actors have used this backdoor for espionage and other cybercriminal activities.

Trend Micro customer technology specialist Hara Hiroaki noted that this backdoor, Noodle RAT, has been incorrectly identified as a variant of Gh0st RAT or Rekoobe for years. Multiple reports by cybersecurity companies noted the use of numerous malware by Iron Tiger in 2018 (reported by NCC Group), Rocke or Iron Cybercrime Group in 2018 (Cisco Talos), Cloud Snooper Campaign in 2018 (Sophos), and Calypso APT in 2019 (Positive Technologies).

As it turns out, these malicious campaigns were based on the Noodle RAT backdoor, also known as ANGRYREBEL or Nood RAT. Noodle RAT is an executable and linkable format (ELF) backdoor that can be used to target Windows and Linux systems. It has been used for cyberespionage against Japan, India, Malaysia, Thailand and Taiwan since 2020 and has existed since at least 2016.

Noodle RAT Timeline

Source: Trend Micro

In other words, Noodle RAT wasn’t properly classified for as long as eight years, possibly because its code overlaps with the Gh0st RAT and Rekoobe malware families. Trend Micro explained, “Apart from the plugins, there is no apparent similarity in the rest of the code of Noodle RAT and Gh0st RAT, leading us to the conclusion that the plugins were simply reused but the backdoor itself is totally different.”

See More: New WatchGuard Threat Lab Report Reveals Critical Malware Trends

Further, the Linux version of Noodle RAT also shares some code similarities with Rekoobe v2018, including reverse shell and process name spoofing.

“The code of the reverse shell session of Linux.NOODLERAT is completely the same as the one of Tiny SHell, which leads us to believe that the author of Noodle RAT might have just copied this part from Tiny SHell in GitHub. On the other hand, the technique to spoof the process name by overwriting ‘argv’ is unique to Rekoobe v2018; this is not implemented in Tiny SHell and Rekoobe v2015. This can indicate that the author of Noodle RAT might be able to access the source code of Rekoobe v2018,” Hiroaki explained.

“Still, since the rest of the code of Linux.NOODLERAT is totally different from any version of Rekoobe or Tiny SHell, we can conclude that Linux.NOODLERAT should be classified as another malware family.”

Here’s how the Noodel RAT versions for Windows and Linux compare:

Trend Micro noted that the Windows version of Noodle RAT has been used for espionage by Iron Tiger, Calypso APT and others in Thailand and India. Meanwhile, Rocke, Cloud Snooper Group and an unknown group have used the Linux variant of Noodle RAT for financial crimes and espionage.

MORE ON CYBERSECURITY

• June Patch Tuesday: Microsoft’s June Patchload Features Fixes for 51 Bugs, Including a Zero-Day One
• Cybersecurity Study Uncovers Key Malware Attack Trends
• Russian Firms Under Cyberattack: HellHounds APT Deploys Decoy Dog Malware
• Cryptocurrency Malware Campaign Abuses PyPI and Stack Overflow
• Windows and Android Malware Delivered Through Fake Antivirus Websites