A Japanese group of specialists has identified a new virus used in espionage and linked to Chinese cybercrime groups, which affects Windows and Linux operating systems.
Cybersecurity experts from the Japanese firm Trend Micro have identified a new variant of malware that they have been investigating since 2022. In a new post, they explain the characteristics of this virus that they have called “Noodle RAT”, and which they define as a backdoor that “represents a new category of malware, rather than simply a variant of existing threats.”
According to Trend Micro, this malware would come from Gh0st Rat, a virus that appeared in 2008, and which has been associated with Chinese groups that have used it in various campaigns. “Since 2018, several reports have been published about attacks involving Noodle RAT, but back then, this ELF backdoor was inadvertently identified as different malware families,” they explain.
The Noodle RAT variant on Windows works as a modular in-memory backdoor, which is activated by a loader and allows various changes to be made to the device: allowing functionalities such as file downloads, deploying malware, TCP proxy or self-deletion. Some loaders used by this virus have been located in campaigns carried out in Thailand, India, Taiwan, Japan and Malaysia.
As for the variant for Linux systems, there are Chinese cybercrime and espionage groups directly related to Noodle RAT. The malware version for this OS supports reverse shells, file transfers, task scheduling, and SOCKS tunnels. The attacks manage to exploit vulnerabilities to access Linux servers, achieving remote access and allowing the introduction of malware.
Links with China
According to Hara Hiroaki, a technology specialist at Trend Micro, “Noodle RAT is likely to be shared or sold among Chinese-speaking groups,” and although it has been in use for several years, it had not really been classified until recently. It has been used mainly in cybercrime and espionage, aimed at both private and government entities.
In malware it shares many similarities with Gh0st RAT and Rekoobe, and having discovered a Noodle RAT control panel and builder, it is possible that a possible malware ecosystem exists.
With all this, Trend Micro reports that they have confirmed “that some Noodle RAT samples were loaded into Virus Total in 2024, which means that it is very likely that the malware is still in use. Considering the increase in exploitation of public applications in recent years, malware targeting Linux/Unix systems is becoming more essential for attackers. “It could suggest that Noodle RAT could remain an attractive option for attacks by threat actors.”
Thus, it is understood that this malware is active and in development, given that the code found shows recent work to improve the code by fixing some bugs.
Although they do not provide much information about the ways in which the virus may be shared, it is understood that it is malware aimed at specific entities, rather than the general public.
