A previously undocumented cross-platform malware codenamed Noodle RAT has been put to use by Chinese-speaking threat actors either for espionage or cybercrime for years.
While this backdoor was previously categorized as a variant of Gh0st RAT and Rekoobe, Trend Micro security researcher Hara Hiroaki said “this backdoor is not merely a variant of existing malware, but is a new type altogether.”
Noodle RAT, which also goes by the monikers ANGRYREBEL and Nood RAT, comes in both Windows and Linux flavors, and is believed to have been put to use since at least July 2016.
The remote access tran Gh0st RAT first surfaced in 2008 when a China threat group called the C. Rufus Security Team made its source code publicly available.
Over the years, the malware – alongside other tools like PlugX and ShadowPad – has become a hallmark of Chinese government hackers, who have used it in numerous campaigns and attacks.
The Windows version of Noodle RAT, an in-memory modular backdoor, has been put to use by hacking crews like Iron Tiger and Calypso. Launched via a loader due to its shellcode foundations, it supports commands to download/upload files, run additional types of malware, function as a TCP proxy, and even delete itself.
At least two different types of loaders, viz. MULTIDROP and MICROLOAD, have been observed to date in attacks aimed at Thailand and India, respectively.
Noodle RAT’s Linux counterpart, on the other hand, has been utilized by different cybercrime and espionage clusters linked to China, including Rocke and Cloud Snooper.
It’s equipped to launch a reverse shell, download/upload files, schedule execution, and initiate SOCKS tunneling, with the attacks leveraging known security flaws in public-facing applications to breach Linux servers and drop a web shell for remote access and malware delivery.
Despite the differences in the backdoor commands, both versions are said to share identical code for command-and-control (C2) communications and use similar configuration formats.
Further analysis of Noodle RAT artifacts shows that while the malware reuses various plugins used by Gh0st RAT and some parts of the Linux version share code overlaps with Rekoobe, the backdoor in itself is entirely new.
Trend Micro said it was also able to gain access to a control panel and builder used for Noodle RAT’s Linux variant with release notes written in Simplified Chinese containing details about bug fixes and improvements, indicating that it’s likely developed, maintained, and sold to customers of interest.
This hypothesis is also bolstered by the I-Soon leaks earlier this year, which highlighted a vast corporate hack-for-hire scene operating out of China and the operational and organizational ties between private sector firms and Chinese state-sponsored cyber actors.
Such tools are believed to be the result of a complex supply chain within China’s cyber espionage ecosystem, where they are sold and distributed on a commercial basis across the private sector and government entities engaged in malicious state-sponsored activities.
“Noodle RAT is likely shared (or for sale) among Chinese-speaking groups,” Hiroaki said. “Noodle RAT has been misclassified and underrated for years.”
The development comes as the China-linked Mustang Panda (aka Fireant) has been linked to a spear-phishing campaign targeting Vietnamese entities using tax- and education-themed lures to deliver Windows Shortcut (LNK) files that are designed to likely deploy the PlugX malware.
