Threat Research

Analysis of Nood RAT Used in Attacks Against Linux (Gh0st RAT’s Variant) – ASEC BLOG

Securonix

ASEC reports that Nood RAT, a Linux variant of Gh0st RAT, is used in attacks and features a builder, RC4 encryption, and process-name spoofing. It provides remote shell, Socks proxy, and port forwarding capabilities and has a history of campaigns including WebLogic CVE-2017-10271 and Cloud Snooper, with an extensive list of IOCs. #NoodRAT #Gh0stRAT

Keypoints

  • Nood RAT is a Linux-based variant of Gh0st RAT, developed via a builder that can produce x86 or x64 binaries.
  • The malware disguises itself by changing its process name (masquerading) and copies itself to /tmp/CCCCCCCC, then deletes the original.
  • Configuration data and commands are encrypted with RC4; the RC4 key for config is “r0st@#$” and Socks proxy communications use “VMware#@!Station”.
  • On first C2 contact, the malware sends encrypted system information (hostname, /etc/issue, IPs, etc.) to the C2 server.
  • It supports remote shell and file management, Socks proxy, and port forwarding, enabling command execution, file transfers, and lateral movement.
  • Historical deployments include WebLogic CVE-2017-10271 attacks and usage by Cloud Snooper; numerous samples are posted on VirusTotal.

MITRE Techniques

  • [T1036] Masquerading – Change process name to disguise itself as a legitimate program. (‘Nood RAT has a feature that changes its name in order to disguise itself as a legitimate program.’)
  • [T1027] Obfuscated/Compressed Data – Decrypts configuration and data with RC4; RC4 key is “r0st@#$”. (‘the configuration data is also encrypted using the RC4 algorithm, and the RC4 key used in the decryption process is the string “r0st@#$”.’)
  • [T1564] Hide Artifacts – Copies itself to /tmp/CCCCCCCC, runs from there, and deletes the copied file. (‘copies and pastes itself into the “/tmp/CCCCCCCC” path, runs it, and deletes the copied file.’)
  • [T1082] System Information Discovery – Gathers and sends infected system information on first contact with C2. (‘When connecting to the C&C server for the first time, Gh0st RAT obtains basic information about the infected system and sends the data.’)
  • [T1059.004] Unix Shell – Remote shell capability enabling command execution on infected systems. (‘remote shell & file management’)
  • [T1090] Proxy – Uses Socks proxy for communication; includes a VMware-themed string for proxying. (‘Socks proxy and port forwarding communication, the string “VMware#@!Station” is used instead.’)
  • [T1190] Exploit Public-Facing Application – Installed via WebLogic vulnerability CVE-2017-10271. (‘The oldest record of the malware is the case where it was installed via a WebLogic vulnerability (CVE-2017-10271) attack.’)
  • [T1105] Ingress Tool Transfer – Downloads malicious files as part of its operation. (‘downloading malicious files’)
  • [T1041] Exfiltration Over C2 Channel – Sends infected system data to the C2 server during initial contact. (‘…sends the data.’)

Indicators of Compromise

  • [IP Address] context – 43.156.118[.]72:443, 13.214.222[.]35:443
  • [Domain] context – cloud.awsxtd[.]com:443, bo.appleupcheck[.]com:443
  • [MD5] context – 035f83018cf96f5e1f6817ccd39fc0b6, b4910e998cf58da452f8151b71c868cb
  • [MD5] context – 4f3afdcfff8f7994b7d3d3fbaa6858b4, a15ebd19cac42b0297858018da62b1be

Read more: https://asec.ahnlab.com/en/62144/