Hacking groups have been using a piece of weaponized code for nearly 10 years to access both Windows and Linux operating systems, and now security researchers have discovered it is not a variant of other malware but its own individual entity.
2VIEW GALLERY – 2 IMAGES
A new report published by Trend Micro has outlined a go-to form of malware used by Chinese-state-sponsored hacking groups such as Iron Tiger and Calypso. The piece of malware is believed to have been used since at least 2016, and was originally thought to be a variant of other famous malware such as Gh0st RAT and Rekoobe. Trend Micro reports the new malware isn’t a variant of the aforementioned malware, but a “new type altogether“.
The publication suspects its currently being used by many Chinese hacking groups performing espionage or cybercrime, and it has been dubbed “Noddle RAT”. The new form of malware has been confirmed on both Windows and Linux machines, with some instances dating back as far as July 2016.
Multiple reports of attacks that used Noodle RAT have been popping up since 2018, but, unfortunately, they were misclassified due Noddle RAT using plugins that were used by Gh0st Rat (Windows version) and Linux’s version having overlap with the Rekoobe malware.
“Despite its long history, Noodle RAT has not been properly classified until recently. Since 2018, multiple reports have been published about attacks involving Noodle RAT, but back then, this ELF backdoor was inadvertently identified as different malware families. For instance, NCC Group released a report on a variant of Gh0st RAT used by Iron Tiger in 2018.
Talos released a report on an ELF backdoor used by Rocke (aka Iron Cybercrime Group) in 2018. Sophos released a report on a Linux version of the Gh0st RAT variant used in the Cloud Snooper Campaign in 2018. Positive Technology Security released a report on Calypso RAT used by Calypso APT in 2019. Upon analysis, we discovered that the ELF backdoor mentioned in these reports was actually Noodle RAT,” writes Trend Micro
More specifically, Windows and Linux versions, while being different, are very similar, such as the capability to upload and download files, running additional malware, working as a TCP proxy, and more. Furthermore, both version of the Noodle RAT malware share identical code for command-and-control (C2) communications.
“Noodle RAT is likely shared (or for sale) among Chinese-speaking groups,” Trend Micro said. “Noodle RAT has been misclassified and underrated for years.“