Noodle RAT: Reviewing the Backdoor Used by Chinese-Speaking Groups


Since 2022, Trend Micro researchers have been investigating numerous targeted attacks in the Asia-Pacific region that used the same ELF backdoor.

Most vendors identify this backdoor as a variant of existing malware such as Gh0st RAT or Rekoobe. However, Trend Micro unearthed the truth: this backdoor is not merely a variant of existing malware, but is a new type altogether. The researchers suspect it is being used by Chinese-speaking groups engaged in either espionage or cybercrime. We dubbed this formerly undocumented malware as “Noodle RAT.” Noodle RAT, also known as ANGRYREBEL or Nood RAT, is a relatively simple backdoor confirmed to have both Windows (Win.NOODLERAT) and Linux (Linux.NOODLERAT) versions.

Read more…
Source: Trend Micro


Sign up for our Newsletter


Related:

  • Rhadamanthys v0.5.0 – A Deep Dive Into The Stealer’s Components

    December 14, 2023

    Rhadamanthys is an information stealer with a diverse set of modules and an interesting multilayered design. In their last article on Rhadamanthys, Check Point researchers focused on the custom executable formats used by this malware and their similarity to a different family, Hidden Bee, which is most likely its predecessor. In this article they do a ...

  • Analyzing AsyncRAT’s code injection into aspnet_compiler.exe across multiple incident response cases

    December 11, 2023

    During their recent investigations, the Trend Micro Managed XDR (MxDR) team handled various cases involving AsyncRAT, a Remote Access Tool (RAT) with multiple capabilities,  such as keylogging and remote desktop control, that make it a substantial threat to victims. This blog entry delves into MxDR’s unraveling of the AsyncRAT infection chain across multiple cases, shedding light ...

  • MrAnon Stealer Spreads via Email with Fake Hotel Booking PDF

    December 7, 2023

    FortiGuard Labs recently identified an email phishing campaign using deceptive booking information to entice victims into clicking on a malicious PDF file. The PDF downloads a .NET executable file created with PowerGUI and then runs a PowerShell script to fetch the final malware, known as MrAnon Stealer. This malware is a Python-based information stealer compressed with ...

  • New Tool Set Found Used Against Organizations in the Middle East, Africa and the US

    December 1, 2023

    Unit 42 researchers observed a series of apparently related attacks against organizations in the Middle East, Africa and the U.S. The researchers will discuss a set of tools used in the course of the attacks that reveal clues about the threat actors’ activity. Unit 42 team is sharing this research to provide detection, prevention and hunting ...

  • AeroBlade on the hunt targeting the U.S. Aerospace industry

    November 30, 2023

    BlackBerry has uncovered a previously unknown threat actor targeting an aerospace organization in the United States, with the apparent goal of conducting commercial and competitive cyber espionage. The BlackBerry Threat Research and Intelligence team is tracking this threat actor as AeroBlade. The actor used spear-phishing as a delivery mechanism: A weaponized document, sent as an email ...

  • Hellhounds: Operation Lahat

    November 30, 2023

    In 2023, Positive Technologies Computer Security Incident Response Team (PT CSIRT) discovered that a certain power company was compromised by the Decoy Dog trojan. According to the PT CSIRT investigation, Decoy Dog has been actively used in cyberattacks on Russian companies and government organizations since at least September 2022. This trojan was previously discussed by NCIRCC, Infoblox, ...