For nearly a decade, several Chinese threat actor groups used a piece of weaponized code that was wrongly categorized as a variant of another malware, security experts have admitted.
In a report, Trend Micro revealed since 2016, groups like Iron Tiger and Calypso were using a piece of malware believed to be a variant of Gh0st RAT and Rekoobe. The first was first observed in 2008 and over the years has become the tool of choice for Chinese state-sponsored threat actors.
But this backdoor, which Trend Micro called Noodle RAT, is not a variant, “but is an entirely new type,” the researchers say. This remote access trojan, sometimes called ANGRYREBEL or Nood RAT, is available on both Windows and Linux and has been circulating around the world since at least 2016, so about eight years now.
Overlapping functions
While the Windows and Linux versions vary slightly, there are overlapping features: both support uploading and downloading files, running additional malware, acting as a TCP proxy, and initiating SOCKS tunneling. Furthermore, both versions share identical code for command-and-control (C2) communications.
Apparently, the researchers confused Noodle RAT with a variant of Gh0st, because the Windows version reuses some of its plugins. On the other hand, the Linux version has some code overlaps with Rekoobe.
“Noodle RAT is likely to be shared (or for sale) among Chinese-speaking groups,” Trend Micro said. “Noodle RAT has been misclassified and underestimated for years.”
Different groups use the tool against different targets and for different purposes. That said, two separate Windows loaders were spotted in Thailand and India: MULTIDROP and MICROLOAD.
China has a very active hacking community on the government payroll, including infamous groups like Winnti, Buckeye, and Stone Panda.