A previously undocumented cross-platform malware, Noodle RAT, has been utilized by Chinese-speaking threat actors for espionage or cybercrime for several years.
Initially categorized as a variant of Gh0st RAT and Rekoobe, Trend Micro security researcher Hara Hiroaki clarified, “this backdoor is not merely a variant of existing malware, but is a new type altogether.”
Noodle RAT, also known as ANGRYREBEL and Nood RAT, has variants for both Windows and Linux systems and is believed to have been in use since at least July 2016.
The malware’s predecessor, Gh0st RAT, surfaced in 2008 when the C. Rufus Security Team, a Chinese threat group, made its source code publicly available. Over time, Gh0st RAT, along with tools like PlugX and ShadowPad, became a hallmark of Chinese government hackers, used in numerous campaigns and attacks.
Windows and Linux Variants
The Windows version of Noodle RAT is an in-memory modular backdoor used by hacking groups like Iron Tiger and Calypso. Launched via a loader due to its shellcode foundations, it supports commands to download/upload files, run additional malware, function as a TCP proxy, and even delete itself. Two loaders, MULTIDROP and MICROLOAD, have been observed in attacks targeting Thailand and India.
New Cross-Platform Malware ‘Noodle RAT’ Targets Windows and Linux Systems https://t.co/yHz0ZctSCY
— Yorick Reintjens 🚀🔥 (@YorickReintjens) June 13, 2024
The Linux counterpart has been employed by different cybercrime and espionage groups linked to China, such as Rocke and Cloud Snooper. It can launch a reverse shell, download/upload files, schedule execution, and initiate SOCKS tunneling. These attacks exploit known security flaws in public-facing applications to breach Linux servers and deploy a web shell for remote access and malware delivery.
Despite differences in backdoor commands, both versions share identical code for command-and-control (C2) communications and use similar configuration formats. Further analysis revealed that while the malware reuses plugins from Gh0st RAT and shares some code overlaps with Rekoobe, Noodle RAT is entirely new.
Development and Attribution
Trend Micro gained access to a control panel and builder for Noodle RAT’s Linux variant, with release notes written in Simplified Chinese detailing bug fixes and improvements. This suggests the malware is developed, maintained, and sold to specific customers. This theory is supported by the I-Soon leaks earlier this year, highlighting a vast corporate hack-for-hire scene operating out of China and ties between private firms and state-sponsored cyber actors.
These tools are believed to result from a complex supply chain within China’s cyber espionage ecosystem, sold and distributed commercially to both private sector and government entities engaged in malicious activities.
“Noodle RAT is likely shared (or for sale) among Chinese-speaking groups,” Hiroaki noted. “Noodle RAT has been misclassified and underrated for years.”
This discovery comes as Mustang Panda (aka Fireant), another China-linked group, has been linked to a spear-phishing campaign targeting Vietnamese entities with tax- and education-themed lures to deliver Windows Shortcut (LNK) files designed to deploy PlugX malware.
Also read: Sticky Werewolf Cyber Attack
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
