Tuesday, June 25, 2024

Chinese Hackers using New Noodle RAT to Attack Linux Servers

Cybersecurity experts have identified a new type of malware called “Noodle RAT,” which Chinese-speaking hacker groups use to target Linux servers.

Although this malware has been active since 2016, it has only recently been properly classified, shedding light on its extensive use in both espionage and cybercrime.

The Emergence of Noodle RAT

Noodle RAT, also known as ANGRYREBEL or Nood RAT, is a backdoor malware with versions for both Windows (Win.NOODLERAT) and Linux (Linux.NOODLERAT).

According to the TrendMicro blog, Despite its long history, it was often misclassified as variants of other malware such as Gh0st RAT or Rekoobe.

However, recent investigations have confirmed that Noodle RAT is a distinct malware family.

Noodle RAT Timeline
Noodle RAT Timeline

The timeline of Noodle RAT’s development and deployment is as follows:

  • July 2016: v1.0.0 for Win.NOODLERAT compiled.
  • December 2016: v1.0.1 for Linux.NOODLERAT compiled.
  • April 2017: v1.0.1 for Linux.NOODLERAT updated.

Multiple reports have documented attacks involving Noodle RAT since 2018, but it was often misidentified as other malware families.

Analyze any MaliciousURL, Files & Emails & Configuration With ANY RUN Start your Analysis

Notably, espionage campaigns using Noodle RAT have targeted countries such as Thailand, India, Japan, Malaysia, and Taiwan since 2020.

Technical Details of Noodle RAT


Win.NOODLERAT is a shellcode-formed in-memory modular backdoor. Groups like Iron Tiger and Calypso APT have used it. Its capabilities include:

  • Downloading and uploading files
  • Running additional in-memory modules
  • Working as a TCP proxy
Relations of Win.NOODLERAT with threat groups
Relations of Win.NOODLERAT with threat groups

The malware uses loaders like MULTIDROP and MICROLOAD for installation and employs complex encryption algorithms for C&C communication.


Linux.NOODLERAT, an ELF version of Noodle RAT, has been used by groups such as Rocke (Iron Cybercrime Group) and the Cloud Snooper Campaign. Its capabilities include:

  • Reverse shell
  • Downloading and uploading files
  • Scheduling execution
  • SOCKS tunnelling
Observed execution flow of Linux.NOODLERAT
Observed execution flow of Linux.NOODLERAT

The malware is typically deployed as an additional payload of an exploit against public-facing applications and uses sophisticated encryption algorithms for C&C communication.

Backdoor Commands

Both Win.NOODLERAT and Linux.NOODLERAT implements various backdoor commands. The following table summarizes some of these commands:

ActionsType 0x03A2 (Win)Type 0x132A (Win)Type 0x03A2 (Linux)Type 0x23F8 (Linux)
Successfully authorized0x03A20x132A0x03A20x23F8
Upload a file to C&C server0x390A0x590A0x30x3
List directories recursively0x390A0x590A0x30x3
Download a file from C&C server0x390A0x590A0x30x3
Initiate reverse shell sessionN/AN/A0x10x1

Similarities with Other Malware

Noodle RAT shares some similarities with Gh0st RAT and Rekoobe, but it is distinct enough to be classified as a new malware family.

Algorithm comparison between Gh0st RAT variants and Noodle RAT
Algorithm comparison between Gh0st RAT variants and Noodle RAT

For instance, while it uses some plugins from Gh0st RAT, the core backdoor code is different. Similarly, Linux.NOODLERAT shares some code with Rekoobe v2018, but the rest of its code is unique.

Recent findings have revealed control panels and builders for Noodle RAT, indicating a sophisticated malware ecosystem.

The control panel for Linux.NOODLERAT, named “NoodLinux v1.0.1,” supports TCP and HTTP for C&C protocol and requires a password to open.

Builders for Linux.NOODLERAT, versions v1.0.1 and v1.0.2, help create custom configurations for the malware.

Control panel of Linux.NOODLERAT v1.0.1
Control panel of Linux.NOODLERAT v1.0.1

Noodle RAT has been misclassified and underrated for years.

This new understanding of its capabilities and usage highlights the need for vigilance in cybersecurity, especially for Linux/Unix systems.

As exploitation against public-facing applications increases, Noodle RAT remains a potent tool for threat actors, making it essential for cybersecurity professionals to stay informed and prepared.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo


Latest articles

Hackers Attacking Windows IIS Server to Upload Web Shells

Windows IIS Servers often host critical web applications and services that provide a gateway...

WikiLeaks Founder Julian Assange Released in Stunning Deal with U.S.

WikiLeaks founder Julian Assange has been released from prison after reaching a deal with...

Four Members of FIN9 Hackers Charged for Attacking U.S. Companies

Four Vietnamese nationals have been charged for their involvement in a series of computer...

BREAKING: NHS England’s Synnovis Hit by Massive Cyber Attack

In a shocking development, the NHS has revealed that it was the victim of...

Threat Actor Claiming a 0-day in Linux LPE Via GRUB bootloader

A new threat actor has emerged, claiming a zero-day vulnerability in the Linux GRUB...

LockBit Ransomware Group Claims Hack of US Federal Reserve

The notorious LockBit ransomware group has claimed responsibility for hacking the U.S. Federal Reserve,...

Microsoft Power BI Vulnerability Let Attackers Access Organizations Sensitive Data

A vulnerability in Microsoft Power BI allows unauthorized users to access sensitive data underlying...
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles