Wednesday, November 6, 2024
HomeCyber Security NewsChinese Hackers using New Noodle RAT to Attack Linux Servers

Chinese Hackers using New Noodle RAT to Attack Linux Servers

Published on

Malware protection

Cybersecurity experts have identified a new type of malware called “Noodle RAT,” which Chinese-speaking hacker groups use to target Linux servers.

Although this malware has been active since 2016, it has only recently been properly classified, shedding light on its extensive use in both espionage and cybercrime.

The Emergence of Noodle RAT

Noodle RAT, also known as ANGRYREBEL or Nood RAT, is a backdoor malware with versions for both Windows (Win.NOODLERAT) and Linux (Linux.NOODLERAT).

- Advertisement - SIEM as a Service

According to the TrendMicro blog, Despite its long history, it was often misclassified as variants of other malware such as Gh0st RAT or Rekoobe.

However, recent investigations have confirmed that Noodle RAT is a distinct malware family.

Noodle RAT Timeline
Noodle RAT Timeline

The timeline of Noodle RAT’s development and deployment is as follows:

  • July 2016: v1.0.0 for Win.NOODLERAT compiled.
  • December 2016: v1.0.1 for Linux.NOODLERAT compiled.
  • April 2017: v1.0.1 for Linux.NOODLERAT updated.

Multiple reports have documented attacks involving Noodle RAT since 2018, but it was often misidentified as other malware families.

Analyze any MaliciousURL, Files & Emails & Configuration With ANY RUN Start your Analysis

Notably, espionage campaigns using Noodle RAT have targeted countries such as Thailand, India, Japan, Malaysia, and Taiwan since 2020.

Technical Details of Noodle RAT

Win.NOODLERAT

Win.NOODLERAT is a shellcode-formed in-memory modular backdoor. Groups like Iron Tiger and Calypso APT have used it. Its capabilities include:

  • Downloading and uploading files
  • Running additional in-memory modules
  • Working as a TCP proxy
Relations of Win.NOODLERAT with threat groups
Relations of Win.NOODLERAT with threat groups

The malware uses loaders like MULTIDROP and MICROLOAD for installation and employs complex encryption algorithms for C&C communication.

Linux.NOODLERAT

Linux.NOODLERAT, an ELF version of Noodle RAT, has been used by groups such as Rocke (Iron Cybercrime Group) and the Cloud Snooper Campaign. Its capabilities include:

  • Reverse shell
  • Downloading and uploading files
  • Scheduling execution
  • SOCKS tunnelling
Observed execution flow of Linux.NOODLERAT
Observed execution flow of Linux.NOODLERAT

The malware is typically deployed as an additional payload of an exploit against public-facing applications and uses sophisticated encryption algorithms for C&C communication.

Backdoor Commands

Both Win.NOODLERAT and Linux.NOODLERAT implements various backdoor commands. The following table summarizes some of these commands:

ActionsType 0x03A2 (Win)Type 0x132A (Win)Type 0x03A2 (Linux)Type 0x23F8 (Linux)
Successfully authorized0x03A20x132A0x03A20x23F8
Upload a file to C&C server0x390A0x590A0x30x3
List directories recursively0x390A0x590A0x30x3
Download a file from C&C server0x390A0x590A0x30x3
Initiate reverse shell sessionN/AN/A0x10x1

Similarities with Other Malware

Noodle RAT shares some similarities with Gh0st RAT and Rekoobe, but it is distinct enough to be classified as a new malware family.

Algorithm comparison between Gh0st RAT variants and Noodle RAT
Algorithm comparison between Gh0st RAT variants and Noodle RAT

For instance, while it uses some plugins from Gh0st RAT, the core backdoor code is different. Similarly, Linux.NOODLERAT shares some code with Rekoobe v2018, but the rest of its code is unique.

Recent findings have revealed control panels and builders for Noodle RAT, indicating a sophisticated malware ecosystem.

The control panel for Linux.NOODLERAT, named “NoodLinux v1.0.1,” supports TCP and HTTP for C&C protocol and requires a password to open.

Builders for Linux.NOODLERAT, versions v1.0.1 and v1.0.2, help create custom configurations for the malware.

Control panel of Linux.NOODLERAT v1.0.1
Control panel of Linux.NOODLERAT v1.0.1

Noodle RAT has been misclassified and underrated for years.

This new understanding of its capabilities and usage highlights the need for vigilance in cybersecurity, especially for Linux/Unix systems.

As exploitation against public-facing applications increases, Noodle RAT remains a potent tool for threat actors, making it essential for cybersecurity professionals to stay informed and prepared.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Azure API Management Vulnerabilities Let Attackers Escalate Privileges

Recent discoveries by Binary Security have revealed critical vulnerabilities in Azure API Management (APIM) that could...

Google Patches High-Severity Vulnerabilities in Chrome

Google has released a new update for its Chrome browser, addressing two high-severity vulnerabilities....

ClickFix Exploits GMeet & Zoom Pages to Deliver Sophisticated Malware

A new tactic, "ClickFix," has emerged. It exploits fake Google Meet and Zoom pages...

APT36 Hackers Attacking Windows Deevices With ElizaRAT

APT36, a sophisticated threat actor, has been actively targeting Indian entities with advanced malware...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Azure API Management Vulnerabilities Let Attackers Escalate Privileges

Recent discoveries by Binary Security have revealed critical vulnerabilities in Azure API Management (APIM) that could...

Google Patches High-Severity Vulnerabilities in Chrome

Google has released a new update for its Chrome browser, addressing two high-severity vulnerabilities....

ClickFix Exploits GMeet & Zoom Pages to Deliver Sophisticated Malware

A new tactic, "ClickFix," has emerged. It exploits fake Google Meet and Zoom pages...