For almost a decade, different Chinese threat actor groups used a piece of weaponized code that was mistakenly categorized as a variant of another malware, security experts have admitted.
In a report, Trend Micro revealed since 2016, groups such as Iron Tiger and Calypso used a piece of malware that was thought to be a variant of Gh0st RAT and Rekoobe. The former was first observed back in 2008 and has, throughout the years, become the go-to tool for Chinese state-sponsored threat actors.
But this backdoor, which Trend Micro dubbed Noodle RAT, is no variant, “but is a new type altogether,” the researchers say. This remote access trojan, which is also sometimes labeled as ANGRYREBEL or Nood RAT, is available on both Windows and Linux, and has been circulating around the world since at least 2016, so roughly eight years now.
Overlapping features
While the Windows and Linux versions vary somewhat, there are overlapping features – both support uploading and downloading files, running additional malware, working as a TCP proxy, and initiating SOCKS tunneling. What’s more, both versions share identical code for command-and-control (C2) communications.
Apparently, the researchers were confusing Noodle RAT with a variant of Gh0st since the Windows version reuses some of its plugins. On the other hand, the Linux version has some code overlaps with Rekoobe.
“Noodle RAT is likely shared (or for sale) among Chinese-speaking groups,” Trend Micro said. “Noodle RAT has been misclassified and underrated for years.”
Different groups are using the tool against different targets and for different purposes. That being said, two separate Windows loaders – MULTIDROP and MICROLOAD, were observed in Thailand and India.
China has a very active hacking community on the government’s payroll, including infamous groups such as Winnti, Buckeye, or Stone Panda.