For nearly a decade, different groups of Chinese threat actors used a piece of weaponized code that was wrongly categorized as a variant of other malware, security experts admitted.
In a report, Trend Micro revealed that since 2016, groups such as Iron Tiger and Calypso were using malware that was thought to be a variant of Gh0st RAT and Rekoobe. The former was first observed in 2008 and has become the go-to tool for Chinese state-sponsored threat actors over the years.
But this backdoor, which Trend Micro called Noodle RAT, is not a variant, “but a completely new type,” the researchers say. This remote access Trojan, which is sometimes also called ANGRYREBEL or Nood RAT, is available on both Windows and Linux and has been circulating around the world since at least 2016, or approximately eight years.
Overlapping functions
While the Windows and Linux versions vary somewhat, there are overlapping features: both support file uploading and downloading, run additional malware, function as a TCP proxy, and initiate a SOCKS tunnel. What's more, both versions share identical code for command and control (C2) communications.
Apparently, the researchers were confusing Noodle RAT with a variant of Gh0st since the Windows version reuses some of its plugins. On the other hand, the Linux version has some overlapping code with Rekoobe.
“Noodle RAT is likely to be shared (or sold) among Chinese-speaking groups,” Trend Micro stated. “Noodle RAT has been misclassified and underrated for years.”
Different groups use the tool against different targets and for different purposes. That said, two different Windows loaders were observed in Thailand and India: MULTIDROP and MICROLOAD.
China has a very active hacker community on the government payroll, including infamous groups like Winnti, Buckeye, and Stone Panda.