Noodle RAT is a backdoor analyzed as a new family used by Chinese-speaking groups for espionage and cybercrime across Windows and Linux. The article details Win.NOODLERAT and Linux.NOODLERAT capabilities, their C2 communications, and a server-side ecosystem including control panels.
#NoodleRAT #Win.NOODLERAT #Linux.NOODLERAT #Gh0stRAT #Rekoobe #CalypsoAPT #IronTiger #CloudSnooper #Rocke
#NoodleRAT #Win.NOODLERAT #Linux.NOODLERAT #Gh0stRAT #Rekoobe #CalypsoAPT #IronTiger #CloudSnooper #Rocke
Keypoints
- Noodle RAT is an ELF-based backdoor used by multiple Chinese-speaking groups for espionage and cybercrime, with Windows and Linux variants (Win.NOODLERAT and Linux.NOODLERAT).
- Win.NOODLERAT is an in-memory, modular backdoor that can download/upload files, run in-memory modules, and act as a TCP proxy.
- Linux.NOODLERAT is an ELF backdoor with a reverse shell, file download/upload, scheduling execution, and SOCKS tunneling capabilities.
- The Windows loader uses MULTIDROP and MICROLOAD; MICROLOAD decrypts payloads via HKCRMicrosoft.System.UpdateCollUpdateAgent and injects into svchost.exe.
- C2 communication for Win.NOODLERAT supports TCP, SSL, and HTTP, with RC4 encryption and a custom XOR/AND-based header/payload encoding.
- Linux.NOODLERAT uses two separate encryption schemes for command processing (RC4/XOR/AND) and reverse-shell traffic (HMAC_SHA1 and AES-128-CBC).
- There are two command-ID clusters for each platform (Type 0x03A2 vs 0x132A on Windows; Type 0x03A2 vs 0x23F8 on Linux), indicating versioning and potential attribution to different groups (e.g., Iron Tiger, Calypso APT, Rocke).
MITRE Techniques
- [T1105] Ingress Tool Transfer – The malware can “Download and upload files” to/from C2. “Download and upload files”
- [T1053] Scheduled Task/Job – Linux NOODLERAT includes “Scheduling execution” to run tasks on schedule
- [T1059.004] Unix Shell – Linux NOODLERAT features a “Reverse shell” for remote command execution
- [T1055] Process Injection – Win.NOODLERAT “injects the decrypted shellcode into svchost.exe”
- [T1070.004] File Deletion – The Windows variant supports “Delete itself” to cover tracks
- [T1083] File and Directory Discovery – Commands include “Show lists of files and directories in root dir”
- [T1090] Proxy – “Start TCP server to proxy packets to the C&C server” to relay traffic
- [T1071.001] Web Protocols – Win.NOODLERAT uses HTTP (and TCP/SSL) for C2 communications
- [T1027] Obfuscated/Compressed Data – Communications and payloads are encrypted with RC4 and XOR/AND
- [T1036] Masquerading – “process name spoofing by overwriting “argv”” to hide identity
- [T1124] System Time Discovery – Linux NOODLERAT shows “Show current datetime” as a capability
Indicators of Compromise
- [File path] context – /usr/include/sdfwex.h, /tmp/.llock
- [Process name] context – svchost.exe
- [Registry key] context – HKCRMicrosoft.System.UpdateCollUpdateAgent
- [File name] context – Oleview.exe