Noodle RAT: Reviewing the New Backdoor Used by Chinese-Speaking Groups

Backdoor Commands

During our analysis, we discovered that there are different types of Win.NOODLERAT that implement various command IDs. Based on one of the command IDs received upon successful authentication by the C&C server, we categorized them into two clusters: Type 0x03A2 and Type 0x132A. The backdoor capability is implemented using a combination of major-ID and optional sub-ID. Table 1 lists the backdoor commands:
 

Actions

Type 0x03A2

Type 0x132A

Major-ID

Sub-ID

Major-ID

Sub-ID

Successfully authorized

0x03A2

0x132A

Message of the end of command

0x0AC3

0x1AC3

Initialize module metadata

0x194C

0x294C

Receive module data

0x1AF2

0x2AC8

Launch module without pipe

0x1397

0x230E

Delete module metadata

0x1D50

0x2D06

Upload a file to C&C server

0x390A

0x35C3 & 0x35C4 & 0x3013

0x590A

0x55C3 & 0x55C4 & 0x5013

List directories recursively

0x390A

0x35C5

0x590A

0x55C5

Download a file from C&C server

0x390A

0x35C7 & 0x35C8 & 0x35C9 & 0x3013

0x590A

0x55C7 & 0x55C8 & 0x55C9 & 0x5013

Write given data to pipe

0x2099

0x2186

0x3099

0x3167

Write 0x32E0 to pipe

0x2099

0x220E

0x3099

0x32E0

Write 0x38AF to pipe

0x2099

0x28FA

0x3099

0x38AF

Send module data to another module

0x2099

0x2741

0x3099

0x3716

Same as 0x3099

0x2099

0x2A0B

0x3099

0x3A0B

Start TCP server to proxy packets to the C&C server

0x2099

0x2CBD

0x3099

0x3CD0

Delete itself

N/A

0x1C1C

Table 1. Backdoor commands of Win.NOODLERAT

The first one, Type 0x03A2, implements most commands except the last one, deleting itself. This type of Win.NOODLERAT was used by Iron Tiger and other unknown clusters for espionage purposes, suggesting that this version could be a shared version.

The second one, Type 0x132A, implements full features. This type of Win.NOODLERAT was used only by Calypso APT. Therefore, this is likely an exclusive version.

Interestingly, upon comparing the command IDs, we found that some have similar parts. For instance, the command IDs to upload a file to the C&C server are 0x390A and 0x590A respectively; this similarity might be an indicator of versioning, but there is not enough evidence to conclude such.

Linux.NOODLERAT

Linux.NOODLERAT is an ELF version of Noodle RAT, but with a different design. This backdoor has been used by several groups with various motivations, such as Rocke (Iron Cybercrime Group) for financial gains

Cloud Snooper Campaign for espionage, and an unknown cluster also for spying purposes. Since it’s designed differently, its backdoor capabilities are also slightly different:

  • Reverse shell
  • Download & Upload files
  • Scheduling execution
  • SOCKS tunneling

Initialization

In most cases, Linux.NOODLERAT was deployed as an additional payload of an exploit against public-facing applications. After deployment, the backdoor copies itself to /tmp/CCCCCCCC and performs process name spoofing by overwriting “argv.” Then, it decrypts the embedded config by RC4 with the hardcoded key, “r0st@#$.” The decrypted config is formatted as shown in the diagram below; Linux.NOODLERAT will connect to the defined C&C server based on the config.

Read More HERE