A backdoor in Executable and Linkable Format (ELF) files used by Chinese hackers has wrongly been identified as a variant of existing malware for years, Trend Micro claimed in a new report.
In Noodle RAT: Reviewing the New Backdoor Used by Chinese-Speaking Groups, a blog post based on a Botconf 2024 presentation, Trend Micro Research introduced Noodle RAT, a remote access Trojan used by Chinese-speaking groups engaged in either espionage or cybercrime.
A Longstanding Yet Misclassified Backdoor
Also known as ANGRYREBEL or Nood RAT, Noodle RAT has been active since at least 2018. However, it was always considered a variant of an existing malware strain like Gh0st RAT or Rekoobe.
“For instance, NCC Group released a report on a variant of Gh0st RAT used by Iron Tiger in 2018. Talos released a report on an ELF backdoor used by Rocke (aka Iron Cybercrime Group) in 2018. Sophos released a report on a Linux version of the Gh0st RAT variant used in the Cloud Snooper Campaign in 2018. Positive Technology Security released a report on Calypso RAT used by Calypso APT in 2019,” said Trend Micro.
Upon analysis, the cybersecurity provider’s threat intelligence team discovered that the ELF backdoor mentioned in these reports was actually a new malware strain that they named Noodle RAT.
No tags.
