This dangerous new form of malware is attacking Windows and Linux systems alike

Malware worm
(Image credit: Shutterstock)

For almost a decade, different Chinese threat actor groups used a piece of weaponized code that was mistakenly categorized as a variant of another malware, security experts have admitted.

In a report, Trend Micro revealed since 2016, groups such as Iron Tiger and Calypso used a piece of malware that was thought to be a variant of Gh0st RAT and Rekoobe. The former was first observed back in 2008 and has, throughout the years, become the go-to tool for Chinese state-sponsored threat actors.

But this backdoor, which Trend Micro dubbed Noodle RAT, is no variant, “but is a new type altogether,” the researchers say. This remote access trojan, which is also sometimes labeled as ANGRYREBEL or Nood RAT, is available on both Windows and Linux, and has been circulating around the world since at least 2016, so roughly eight years now.

Overlapping features

While the Windows and Linux versions vary somewhat, there are overlapping features - both support uploading and downloading files, running additional malware, working as a TCP proxy, and initiating SOCKS tunneling. What’s more, both versions share identical code for command-and-control (C2) communications.

Apparently, the researchers were confusing Noodle RAT with a variant of Gh0st since the Windows version reuses some of its plugins. On the other hand, the Linux version has some code overlaps with Rekoobe. 

"Noodle RAT is likely shared (or for sale) among Chinese-speaking groups," Trend Micro said. "Noodle RAT has been misclassified and underrated for years."

Different groups are using the tool against different targets and for different purposes. That being said, two separate Windows loaders - MULTIDROP and MICROLOAD, were observed in Thailand and India. 

China has a very active hacking community on the government’s payroll, including infamous groups such as Winnti, Buckeye, or Stone Panda.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.