June 11, 2024 at 04:39AM
Summary: This blog post analyzes the Noodle RAT backdoor, used by Chinese-speaking groups in cybercrime and espionage. It covers the backdoor’s history, capabilities for Windows and Linux, command-and-control communication, backdoor commands, similarities with Gh0st RAT and Rekoobe, and the discovery of a control panel and builder for Noodle RAT.
Authors: Hara Hiroaki
If you need further assistance, feel free to ask.
Based on the meeting notes, here are the key takeaways:
1. Noodle RAT is a new backdoor malware suspected to be used by Chinese-speaking groups for espionage and cybercrime activities.
2. Noodle RAT has both Windows (Win.NOODLERAT) and Linux (Linux.NOODLERAT) versions. It has been used in targeted attacks in the Asia-Pacific region.
3. Win.NOODLERAT is used by multiple threat groups, such as Iron Tiger and Calypso APT, for espionage purposes. It has capabilities such as file download/upload, running additional modules, and working as a TCP proxy.
4. Linux.NOODLERAT has been used by groups like Rocke for financial gains and in the Cloud Snooper Campaign for espionage. Its capabilities include reverse shell, file operations, scheduling execution, and SOCKS tunneling. It has been deployed as an additional payload of an exploit against public-facing applications.
5. Several similarities and overlaps were found between Noodle RAT and existing malware like Gh0st RAT and Rekoobe, but evidence suggests that Noodle RAT should be classified as a new malware family.
6. Control panels and builders for Noodle RAT were discovered, indicating the presence of a developer and client behind the malware, resembling a legitimate software distribution model.
These takeaways provide an understanding of Noodle RAT, its capabilities, and its potential impact on organizations. They also illustrate the importance of proactive threat hunting to detect and prevent Noodle RAT infections.
Let me know if you need further analysis or if there are specific areas you’d like to focus on!