Noodle RAT Reviewing the Backdoor Used by Chinese-Speaking Groups

We uncovered in VirusTotal a couple of command-and-control (C&C) panels pointing to the early versions of Noodle RAT; v1.0.0 for Win.NOODLERAT was compiled in July 2016, v1.0.1 for Linux.NOODLERAT in December 2016, and v1.0.1 for Linux.NOODLERAT in April 2017.

Despite its long history, Noodle RAT has not been properly classified until recently. Since 2018, multiple reports have been published about attacks involving Noodle RAT, but back then, this ELF backdoor was inadvertently identified as different malware families. For instance, NCC Group released a report on a variant of Gh0st RAT used by Iron Tiger in 2018. Talos released a report on an ELF backdoor used by Rocke (aka Iron Cybercrime Group) in 2018. Sophos released a report on a Linux version of the Gh0st RAT variant used in the Cloud Snooper Campaign in 2018. Positive Technology Security released a report on Calypso RAT used by Calypso APT in 2019. Upon analysis, we discovered that the ELF backdoor mentioned in these reports was actually Noodle RAT.

Additionally, our telemetry also found espionage campaigns using Noodle RAT targeting Thailand, India, Japan, Malaysia, and Taiwan since 2020. This brief history shows that Noodle RAT has been shared among multiple groups and used for both espionage and cybercrime.

In the following sections, we discuss the details of both the Windows and Linux versions of Noodle RAT.

Win.NOODLERAT

Win.NOODLERAT is a shellcode-formed in-memory modular backdoor, originally reported by NCC Group and Positive Technology Security. Based on other vendor’s reports and our observation, it seems like Win.NOODLERAT is used by Iron Tiger, Calypso APT, and several unknown clusters in espionage campaigns. The built-in backdoor capabilities are quite simple

• Download and upload files
• Run additional in-memory modules
• Work as TCP proxy

Since Win.NOODLERAT is shellcode-formed, it requires its own loader. Our investigation has confirmed that MULTIDROP and MICROLOAD were used.

Installation

MULTIDROP, which we have observed in an espionage campaign targeting Thailand in 2019, is exactly the same as the dropper described by Positive Technology Security.

On the other hand, MICROLOAD, which we have observed in espionage campaigns targeting India from 2019 to 2021, has a different design. MICROLOAD is loaded by the legitimate Microsoft application Oleview.exe. It also decrypts the encrypted payload in HKCRMicrosoft.System.UpdateCollUpdateAgent by RC4 and injects the decrypted shellcode into svchost.exe.

The first stage of the shellcode is just a decoding stub to decode the following XORed data. Once initialization is completed, the core payload and config are decoded in memory.

C&C Communication

Regarding C&C communication, Win.NOODLERAT supports TCP, SSL, and HTTP. The entire communication is encrypted by RC4 and a custom algorithm using XOR and AND instructions. This algorithm, well documented by Positive Technology Security, is worth examining again as it plays a part in the comparison between Win.NOODLERAT and Linux.NOODLERAT.

The encrypted packet consists of two sections as follows: the header and the payload.

When sending data, it encrypts the header section of the packet using the following steps:

1. Initialize Header section fields of cmd_id, payload_len, and const_val
2. Generate 3 random DWORD values
3. Generate a part of the RC4 key by adding payload data length and random DWORD
4. Encode the value generated in Step 3 by XOR with the hardcoded key
5. Convert the values generated in Steps 3 and 4 into HEX string, and concatenate them
6. Encrypt the first 24 bytes of the header (= excluding header_key) by RC4 with the key generated in Step 5

For the payload section, it encrypts as follows:

1. Copy DWORD values from the head of the header section, cmd_id filed, and cont_val field
2. Encode each DWORD in Step 1 by XOR and AND instructions
3. Convert the values generated in Step 2 into HEX string, and concatenate them
4. Encrypt the payload data by RC4 with the key generated in Step 3

C&C Communication

Linux.NOODLERAT supports only TCP and HTTP for C&C communication protocol. Interestingly, the backdoor uses two different algorithms to encrypt the communication: the first part is for command processing, which uses RC4 and XOR+AND; and the second part is for a reverse shell session, which uses HMAC_SHA1 and AES128-CBC.

The encryption algorithm in the command processing session uses RC4 and a combination of XOR + AND instructions. This is mostly the same with Win.NOODLERAT even though the hardcoded key and APIs are different, as the following images show:

The reverse shell session will be initiated when it receives a backdoor command. Since the encryption algorithm in this session, as we will describe later, is totally the same as in one of the existing malware, we will explain the authentication mechanism as simply as possible:

1. It receives 40 bytes of data from the C&C server, which will be divided into two chunks of 20 bytes. Each chunk is then combined with the hardcoded string and the SHA1 hash value is calculated; HMAC_SHA1 pairs will be used for the AES key and IV of encryption/decryption and integrity check.
2. It receives an additional 16 bytes of data from the C&C server and decrypts it with the generated AES key materials.
3. It verifies if the decrypted challenge is the same as the hardcoded challenge bytes to ensure the C&C server’s authenticity.

Backdoor Commands

Like Win.NOODLERAT, we found that there are also two clusters of Linux.NOODLERAT based on the implemented backdoor command IDs: Type 0x03A2 and Type 0x23F8.

Table 2. Backdoor commands of Linux.NOODLERAT

For those marked with N/A, functions for these commands are implemented but there is no way to jump since Major-ID for these commands is not supported.

Compared to Win.NOODLERAT, most of the backdoor commands are different except the command for the response of successful authorization in Type 0x03A2. Also, Linux.NOODLERAT requires arguments for some specific commands. Like Win.NOODLERAT, comparing the commands between Type 0x03A2 and Type 0x23F8, both variants have a similar command sub-ID, such as 0x2186 in Type 0x03A2 and 0x5186 in Type 0x23F8. As previously stated, there is a chance that this might be an indicator of versioning. For the attribution, Type 0x03A2 was used by Rocke, Cloud Snooper campaign, and other unknown clusters, which possibly means that this type might be a shared version. On the other hand, more context is needed to fully attribute Type 0x23F8 to a specific group.

Similarities between Win.NOODLERAT and Linux.NOODLERAT

We have already mentioned that Linux.NOODLERAT shares mostly the same code in the C&C communication process with Win.NOODLERAT. Adding to that, both variants have several other similarities/overlaps. First is the backdoor command. As stated earlier, both Win.NOODLERAT and Linux.NOODLERAT expect to receive the command “0x3A2” when it’s authorized by the C&C server.

New Genes? Or Just a Legacy?

Up to this point, we have analyzed two already-documented backdoors that support different operating systems, suggesting that they belong to the same new malware family, Noodle RAT. However, several vendors have mentioned that Noodle RAT could be a variant of existing malware such as Gh0st RAT or Rekoobe. Their conclusion raises a question: Can Noodle RAT really be considered as new malware? To answer this, let’s revisit Gh0st RAT and Rekoobe.

Gh0st RAT was originally developed by the C. Rufus Security Team in China. Due to a leakage in 2008, the source code of Gh0st RAT has been made publicly available. Therefore, nowadays there are so many variants of Gh0st RAT being used by multiple threat actors.

Noodle RAT has several links to Gh0st RAT. For instance, as NCC reported in 2018, Win.NOODLERAT was using the same plugins as those used by Gh0st RAT. Additionally, Noodle RAT implemented a slightly similar packet encryption algorithm used by some variants of Gh0st RAT, such as Gh0stCringe, HiddenGh0st, and Gh0stTimes. Gh0st RAT variants often use a custom algorithm using a combination of XOR and other instructions, as Noodle RAT does.

However, apart from the plugins, there is no apparent similarity in the rest of the code of Noodle RAT and Gh0st RAT, leading us to the conclusion that the plugins were simply reused but the backdoor itself is totally different.

On the other hand, Rekoobe is a backdoor based on Tiny SHell (aka tsh) and its source code is publicly available on GitHub. It has been used for years in campaigns targeting Linux/Unix systems. This backdoor has already been detailed in reports published by several vendors. Dr.Web published the first report in 2015, and Intezer reported another version of Rekoobe in 2018. To avoid confusion, we will refer to the one mentioned by Dr.Web as “v2015” and the one mentioned by Intezer as “v2018”.

Rekoobe has been used by several actors with continued updates. As Dr.Web’s report mentioned, Rekoobe v2015 was used by the threat group APT31. This version modified the C&C protocol by adding a MAGIC value and changed its strategy to load the config data from the external file, not from the argument. Rekoobe v2018, based on our observation, has been use by multiple groups. This version reverted the C&C protocol into the original one but changed its strategy again to embed the config data in the binary itself. And it added a new feature to spoof the process name by overwriting “argv.”

Comparing Rekoobe and Noodle RAT, one might find that some parts of Linux.NOODLERAT’s code is the same as Rekoobe v2018, specifically the part of reverse shell and process name spoofing, as the following images show:

The code of the reverse shell session of Linux.NOODLERAT is completely the same as the one of Tiny SHell, which leads us to believe that the author of Noodle RAT might have just copied this part from Tiny SHell in GitHub. On the other hand, the technique to spoof the process name by overwriting “argv” is unique to Rekoobe v2018; this is not implemented in Tiny SHell and Rekoobe v2015. This can indicate that the author of Noodle RAT might be able to access the source code of Rekoobe v2018.

Still, since the rest of the code of Linux.NOODLERAT is totally different from any version of Rekoobe or Tiny SHell, we can conclude that Linux.NOODLERAT should be classified as another malware family.

Server Side of Noodle RAT

In the report of NCC Group in 2019, they disclosed the control panels of Win.NOODLERAT. One of them is named “Noodlesv1.0.0,” which might indicate that it’s for Win.NOODLERAT for v1.0.0. We also recently found a new version of the control panel and builder of Linux.NOODLERAT in VirusTotal.

Control Panel

The control panel we found was named “NoodLinux v1.0.1.” Like the previously found control panel, it requires a password to open. The password for the previous one is the current year and month (e.g., “202405”), but for this version, the password was hardcoded in the control panel. It could be opened with the password “hello!@#”.

This version of the control panel supports TCP and HTTP for C&C protocol and listens on the specified port. We tested it with the Linux.NOODLERAT sample and confirmed that it successfully works.

Builder

We found two versions of the builder for Linux.NOODLERAT: v1.0.1 and v1.0.2. This builder helps build Linux.NOODLERAT with a custom config defined by the user.

Interestingly, these server-side components were submitted with a release note in .doc form. Its file name, written in Simplified Chinese, is 更新说明, which translates to release notes or update instructions. Additionally, the name of the ini file, 副本, translates to “copy.”

The release note is also written in Simplified Chinese and describes the test results, improvements, fixes, and updates. This might indicate that there is a developer and a client behind this malware, like in legitimate software businesses.

Conclusion

We have provided an in-depth analysis of Noodle RAT for both Windows and Linux, highlighting similarities and overlaps with known malware types such as Gh0st RAT and Rekoobe, and suggesting that Noodle RAT is likely shared (or for sale) among Chinese-speaking groups. Additionally, we have also revealed a control panel and builder of Noodle RAT, suggesting the possibility of an existing malware ecosystem.

Noodle RAT has been misclassified and underrated for years. We hope that this blog will help people to properly evaluate an incident related to Noodle RAT.

We have confirmed that some samples of Noodle RAT were uploaded in Virus Total in 2024, which means that it is highly probable that the malware is still in use. Considering the increase of exploitation against public-facing applications in recent years, malware targeting Linux/Unix systems is becoming more essential for attackers. It might suggest that Noodle RAT could continue to be an attractive option for threat actors for attacks.  

Trend Vision One Hunting Query

The following query lists potentially useful queries for threat hunting within Vision One:

• Noodle RAT detection
  • malName:*NOODLERAT* AND eventName: MALWARE_DETECTION

• Potential Noodle RAT infection
  • FileFullPath:”/usr/include/sdfwex.h” OR FileFullPath:”/tmp/.llock”

Indicators of Compromise

The indicators of compromise for this entry can be found here.