Noodle RAT (Trojan) – Malware

Overview

In the ever-evolving landscape of cyber threats, the emergence of new and sophisticated malware strains is a constant challenge for cybersecurity professionals. One such malware, known as Noodle RAT, has recently come under scrutiny due to its widespread use and complex features. Discovered in 2022, Noodle RAT represents a significant advancement in the realm of Remote Access Trojans (RATs), with distinct versions targeting both Windows and Linux systems. Its versatility and stealth capabilities have made it a tool of choice for various cybercriminal groups, particularly those with ties to Chinese-speaking regions.

Noodle RAT, which operates under multiple aliases such as ANGRYREBEL and Nood RAT, has been linked to numerous espionage and cybercrime activities across the Asia-Pacific region. Despite being identified as a variant of existing malware like Gh0st RAT or Rekoobe by some vendors, a Trend Micro analysis reveals that Noodle RAT is a unique backdoor with its own set of features and operational methods. This malware has been utilized by several threat actors, including prominent espionage groups and financially motivated cybercriminals, highlighting its adaptability and effectiveness.

Targets

Government Agencies: Noodle RAT is used to compromise government systems, often to gain access to sensitive or classified information. These attacks are typically state-sponsored and aim to gather intelligence or disrupt governmental operations.

Financial Institutions: Banks and financial organizations are frequent targets, as attackers seek to steal financial data, perform fraudulent transactions, or disrupt financial services.

Corporate Entities: Businesses across different industries are targeted for intellectual property theft, espionage, and disruption of operations. The malware can be used to access confidential business communications, strategic plans, and proprietary technologies.

Healthcare Organizations: Hospitals and medical institutions are targeted for their sensitive patient data and health records. Cybercriminals may seek to exploit this data for financial gain or to disrupt healthcare services.

Educational Institutions: Universities and research institutions can be targeted to access academic research, proprietary data, and personal information of staff and students.

Critical Infrastructure: Entities involved in critical infrastructure, such as energy, transportation, and utilities, are targeted to disrupt essential services and potentially cause widespread impact.

High-Profile Individuals: In some cases, high-profile individuals, such as executives or prominent public figures, may be targeted to gain access to their personal and professional communications.

How they operate

Noodle RAT typically gains initial access through phishing attacks or drive-by compromises. Cybercriminals often deploy malicious emails containing infected attachments or links. Once a user interacts with these payloads, the malware executes, establishing a foothold on the compromised system. Additionally, Noodle RAT can exploit vulnerabilities in web browsers or plugins to deliver its payload via compromised or malicious websites.

Once inside, Noodle RAT utilizes several techniques to ensure its persistence and evade detection. It may create entries in the Windows Registry or startup folders to ensure it is reactivated after system reboots. Scheduled tasks are another method used to maintain its presence, enabling the malware to execute at regular intervals. To avoid detection by security software, Noodle RAT often employs obfuscation techniques, such as encrypting or encoding its payload, making it harder for traditional defenses to identify.

Privilege escalation is a critical phase for Noodle RAT operators, allowing them to gain elevated access on the compromised system. The malware might exploit known vulnerabilities or use stolen credentials to achieve higher levels of control. With elevated privileges, Noodle RAT can perform a range of activities, including data collection and lateral movement within the network. By gathering system information and scanning for network services, it identifies additional targets or weaknesses that can be exploited.

The malware’s impact extends to data exfiltration and potential disruption. Noodle RAT often utilizes its command-and-control (C2) channel to exfiltrate sensitive data back to the attackers’ servers. Automated processes can facilitate this data transfer, allowing for efficient and covert exfiltration. Although primarily a spying tool, Noodle RAT’s capabilities might include disrupting operations through system shutdowns or reboots, especially if it employs ransomware-like features.

MITRE Tactics and Techniques

1. Initial Access

Phishing (T1566): Noodle RAT often uses phishing emails to deliver malicious payloads. These emails may contain infected attachments or links that, when clicked, execute the malware.
Drive-by Compromise (T1189): Exploiting vulnerabilities in web browsers or plugins to deliver the malware through compromised or malicious websites.

2. Execution

Command and Scripting Interpreter (T1059): Executes commands or scripts on the compromised system to facilitate further actions. This can include using PowerShell, cmd.exe, or other scripting environments to run Noodle RAT.

User Execution (T1203): The malware relies on users to execute the payload, often disguised as a legitimate file or application.

3. Persistence

Registry Run Keys / Startup Folder (T1547): Adds entries to the Windows Registry or startup folders to ensure that the malware persists after system reboots.

Scheduled Task/Job (T1053): Creates scheduled tasks to maintain persistence and execute the malware at regular intervals.

4. Privilege Escalation

Exploitation for Privilege Escalation (T1068): Exploits known vulnerabilities to gain higher privileges on the compromised system.

Valid Accounts (T1078): Uses stolen credentials to gain elevated access or further control over the target system.

5. Defense Evasion

Obfuscated Files or Information (T1027): Employs various obfuscation techniques to hide its presence, including encoding or encrypting its payload.

Impair Defenses (T1562): May attempt to disable or bypass security software and defenses to avoid detection.

6. Credential Access

Credential Dumping (T1003): Collects credentials from the compromised system to facilitate lateral movement or access to other systems.

Brute Force (T1110): Uses brute force techniques to crack passwords and gain access to additional systems or accounts.

7. Discovery

System Information Discovery (T1082): Gathers information about the system, including hardware, software, and network configurations, to identify valuable targets or weaknesses.

Network Service Scanning (T1046): Scans the network for services and open ports that can be exploited or used for further attacks.

8. Lateral Movement

Remote Services (T1021): Uses remote services like Remote Desktop Protocol (RDP) or Windows Management Instrumentation (WMI) to move laterally within the network.

Pass-the-Hash (T1550): Uses captured hash values to authenticate and access other systems without needing the plaintext password.

9. Collection

Data from Information Repositories (T1213): Collects data from various repositories like file shares or databases.

Input Capture (T1056): Captures user input, such as keystrokes, to gather sensitive information.

10. Exfiltration

Exfiltration Over C2 Channel (T1041): Uses the command-and-control (C2) channel to exfiltrate collected data to external servers controlled by the attacker.

Automated Exfiltration (T1020): Automatically transfers data from the compromised system to the attacker’s infrastructure.

11. Impact

Data Encrypted for Impact (T1486): Encrypts files to disrupt access to critical data, though this is more relevant if the malware has ransomware capabilities.

System Shutdown/Reboot (T1203): May initiate shutdowns or reboots to disrupt operations or cover its tracks.

References

• Noodle RAT: Reviewing the Backdoor Used by Chinese-Speaking Groups