The Windows version of Noodle RAT is an in-memory modular backdoor that supports a wide range of malicious activities including downloading/uploading files running additional malware acting as a TCP proxy, and self-deletion. Conversely, the Linux version is adept at launching reverse shells scheduling executions, and initiating SOCKS tunneling. It exploits known security vulnerabilities in public-facing applications to breach servers and deploy web shells. Despite differences in backdoor commands both versions share identical code for command-and-control (C2) communications and configuration formats reflecting a high level of sophistication and similarity in their underlying architecture.

Further analysis revealed that while Noodle RAT reuses plugins from Gh0st RAT and shares some code with Rekoobe, it remains a unique backdoor. The investigation uncovered a control panel and builder for the Linux variant with release notes in Simplified Chinese indicating ongoing development and maintenance.

This points to a commercial aspect where Noodle RAT is likely sold and distributed among interested parties within the Chinese-speaking cybercrime ecosystem. The leaks have further exposed a corporate hack-for-hire scene in China highlighting connections between private firms and state-sponsored cyber actors.

The discovery of Noodle RAT underscores the complexity and commercial nature of China's cyber espionage operations. Tools like Noodle RAT are believed to be part of a sophisticated supply chain involving private and government entities engaged in malicious activities. Findings emphasize that Noodle RAT has been misclassified and underrated for years revealing its significant role in the arsenal of Chinese cyber threat actors and its widespread distribution among various groups for espionage and cybercrime purposes.

Impact

• Sensitive Data Theft
• Data Exfiltration
• Unauthorized Access

Indicators of Compromise

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.
• Conduct regular security assessments and vulnerability scans to identify and address potential entry points exploited by malware.
• Strengthen network defenses by employing firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS) to monitor and block suspicious activities.
• Adopt a zero-trust security model, ensuring strict access controls and continuous verification of user and device legitimacy.
• Implement multifactor authentication (MFA) to enhance security for accessing critical systems and data.
• Ensure proper network segmentation to limit the lateral movement of attackers within the network.
• Educate and train employees on recognizing phishing attempts and social engineering tactics to reduce the risk of initial compromise.
• Regularly back up critical data and ensure backups are secure and easily accessible in case of ransomware attacks or other data loss incidents.
• Monitor and analyze network traffic for signs of command-and-control (C2) communications associated with malware infections.
• Employ threat intelligence services to stay informed about emerging threats and indicators of compromise (IOCs) related to Noodle RAT and similar malware.
• Develop and test incident response plans to ensure quick and effective action in the event of a security breach.
• Consider deploying deception technologies, such as honeypots, to detect and analyze attacker behavior and tactics.
• Collaborate with cybersecurity firms and industry groups to share information and strategies for mitigating threats posed by Noodle RAT and other sophisticated malware.
• Regularly review and update cybersecurity policies and procedures to align with the evolving threat landscape and ensure comprehensive protection against advanced threats.