Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 913
- Points
- 113
For years, the malware has been mistaken for variations of other programs, but is this spyware really that simple?
Security researchers from Trend Micro recently identified a new type of malware called "Noodle RAT" that Chinese-speaking hacker groups are actively using to attack Windows and Linux systems.
Although this malware has been active since at least 2016, it has only recently been properly classified, shedding light on its widespread use in both espionage and cybercrime.
The Noodle RAT malware, also known as ANGRYREBEL or Nood RAT, is a backdoor that has versions for both Windows (Win.NOODLERAT) and Linux (Linux.NOODLERAT).
Despite its long history, Noodle RAT has often been misclassified as variants of other malware such as Gh0st RAT or Rekoobe, according to researchers. However, recent investigations have confirmed that Noodle RAT is a separate family of malware.
The Windows version of Noodle RAT is a modular backdoor that runs through a bootloader and supports commands to download and upload files, execute other types of malware, act as a TCP proxy, and self-destruct. Bands using it include Iron Tiger and Calypso. Two types of downloaders were seen in attacks on Thailand and India: MULTIDROP and MICROLOAD.
The Linux version of Noodle RAT is used by cybercriminal and espionage groups linked to China, including Rocke and Cloud Snooper. This version is equipped with the functions of reverse shell, file upload and download, task scheduling and SOCKS tunneling. Attacks on Linux servers are usually carried out using known vulnerabilities in public applications to install web shells and deliver malware.
Both versions of the malware have identical code for command and control communications and use similar configuration formats. Although Noodle RAT uses various plugins from Gh0st RAT and parts of code from Rekoobe, the backdoor itself is completely self-contained.
Trend Micro experts managed to gain access to the control panel, as well as the malware designer for the Noodle RAT version for Linux. Observed patches and enhancements in simplified Chinese indicate that malware is being actively developed and sold to interested customers.
Recent I-Soon data leaks have revealed that there is a large scene of corporate hackers working for hire in China, supporting the hypothesis of a complex supply chain in the Chinese cyber espionage ecosystem.
Researcher Hara Hiroaki notes that Noodle RAT has long been underestimated and misclassified, which was finally corrected by the efforts of Trend Micro cyber specialists.
Security researchers from Trend Micro recently identified a new type of malware called "Noodle RAT" that Chinese-speaking hacker groups are actively using to attack Windows and Linux systems.
Although this malware has been active since at least 2016, it has only recently been properly classified, shedding light on its widespread use in both espionage and cybercrime.
The Noodle RAT malware, also known as ANGRYREBEL or Nood RAT, is a backdoor that has versions for both Windows (Win.NOODLERAT) and Linux (Linux.NOODLERAT).
Despite its long history, Noodle RAT has often been misclassified as variants of other malware such as Gh0st RAT or Rekoobe, according to researchers. However, recent investigations have confirmed that Noodle RAT is a separate family of malware.
The Windows version of Noodle RAT is a modular backdoor that runs through a bootloader and supports commands to download and upload files, execute other types of malware, act as a TCP proxy, and self-destruct. Bands using it include Iron Tiger and Calypso. Two types of downloaders were seen in attacks on Thailand and India: MULTIDROP and MICROLOAD.
The Linux version of Noodle RAT is used by cybercriminal and espionage groups linked to China, including Rocke and Cloud Snooper. This version is equipped with the functions of reverse shell, file upload and download, task scheduling and SOCKS tunneling. Attacks on Linux servers are usually carried out using known vulnerabilities in public applications to install web shells and deliver malware.
Both versions of the malware have identical code for command and control communications and use similar configuration formats. Although Noodle RAT uses various plugins from Gh0st RAT and parts of code from Rekoobe, the backdoor itself is completely self-contained.
Trend Micro experts managed to gain access to the control panel, as well as the malware designer for the Noodle RAT version for Linux. Observed patches and enhancements in simplified Chinese indicate that malware is being actively developed and sold to interested customers.
Recent I-Soon data leaks have revealed that there is a large scene of corporate hackers working for hire in China, supporting the hypothesis of a complex supply chain in the Chinese cyber espionage ecosystem.
Researcher Hara Hiroaki notes that Noodle RAT has long been underestimated and misclassified, which was finally corrected by the efforts of Trend Micro cyber specialists.
