June 14, 2024 at 08:43AM
The blog entry analyzes the Noodle RAT backdoor, indicating it is used by Chinese-speaking groups involved in espionage and cybercrime. It covers the history, functionalities, communication protocols, and similarities to other malware such as Gh0st RAT and Rekoobe. The potential server-side components of Noodle RAT were also disclosed. For more details, refer to the original document by Hara Hiroaki.
Based on the meeting notes, the key takeaways are:
1. Noodle RAT, also known as ANGRYREBEL or Nood RAT, is a sophisticated backdoor likely being used by Chinese-speaking groups for espionage and other types of cybercrime in the Asia-Pacific region.
2. The Noodle RAT malware includes both Windows (Win.NOODLERAT) and Linux (Linux.NOODLERAT) versions, with various capabilities such as downloading and uploading files, running additional in-memory modules, and working as a TCP proxy.
3. The Win.NOODLERAT variant has been used in espionage campaigns targeting Thailand and India, while the Linux.NOODLERAT variant has been used by different groups for financial gains and espionage.
4. Both Win.NOODLERAT and Linux.NOODLERAT share similarities and overlaps with existing malware types such as Gh0st RAT and Rekoobe, but also exhibit unique characteristics that distinguish them as a new malware family.
5. A control panel and builder for Linux.NOODLERAT were discovered, suggesting the presence of a server-side component and a potential developer-client relationship behind the malware.
These findings shed light on the existence and activities of Noodle RAT, and underscore the importance of proper evaluation and awareness of this malware. Additionally, the provided Trend Vision One Hunting Query can be used for threat hunting and detection related to Noodle RAT.