{"id":56323,"date":"2024-06-11T00:00:00","date_gmt":"2024-06-11T00:00:00","guid":{"rendered":"urn:uuid:2aa9047b-8c48-84a8-58d8-cfe260f068f5"},"modified":"2024-06-11T00:00:00","modified_gmt":"2024-06-11T00:00:00","slug":"noodle-rat-reviewing-the-backdoor-used-by-chinese-speaking-groups","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/noodle-rat-reviewing-the-backdoor-used-by-chinese-speaking-groups\/","title":{"rendered":"Noodle RAT: Reviewing the Backdoor Used by Chinese-Speaking Groups"},"content":{"rendered":"

<\/p>\n

<\/div>\n

Backdoor Commands<\/b><\/p>\n

During our analysis, we discovered that there are different types of Win.NOODLERAT that implement various command IDs. Based on one of the command IDs received upon successful authentication by the C&C server, we categorized them into two clusters: Type 0x03A2 and Type 0x132A. The backdoor capability is implemented using a combination of major-ID and optional sub-ID. Table 1 lists the backdoor commands:
 <\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Actions<\/b><\/td>\n\n

Type 0x03A2<\/b><\/p>\n<\/td>\n

\n

Type 0x132A<\/b><\/p>\n<\/td>\n<\/tr>\n

\n

Major-ID<\/b><\/p>\n<\/td>\n

\n

Sub-ID<\/b><\/p>\n<\/td>\n

\n

Major-ID<\/b><\/p>\n<\/td>\n

\n

Sub-ID<\/b><\/p>\n<\/td>\n<\/tr>\n

\n

Successfully authorized<\/p>\n<\/td>\n

\n

0x03A2<\/p>\n<\/td>\n

\n

–<\/p>\n<\/td>\n

\n

0x132A<\/p>\n<\/td>\n

\n

–<\/p>\n<\/td>\n<\/tr>\n

\n

Message of the end of command<\/p>\n<\/td>\n

\n

0x0AC3<\/p>\n<\/td>\n

\n

–<\/p>\n<\/td>\n

\n

0x1AC3<\/p>\n<\/td>\n

\n

–<\/p>\n<\/td>\n<\/tr>\n

\n

Initialize module metadata<\/p>\n<\/td>\n

\n

0x194C<\/p>\n<\/td>\n

\n

–<\/p>\n<\/td>\n

\n

0x294C<\/p>\n<\/td>\n

\n

–<\/p>\n<\/td>\n<\/tr>\n

\n

Receive module data<\/p>\n<\/td>\n

\n

0x1AF2<\/p>\n<\/td>\n

\n

–<\/p>\n<\/td>\n

\n

0x2AC8<\/p>\n<\/td>\n

\n

–<\/p>\n<\/td>\n<\/tr>\n

\n

Launch module without pipe<\/p>\n<\/td>\n

\n

0x1397<\/p>\n<\/td>\n

\n

–<\/p>\n<\/td>\n

\n

0x230E<\/p>\n<\/td>\n

\n

–<\/p>\n<\/td>\n<\/tr>\n

\n

Delete module metadata<\/p>\n<\/td>\n

\n

0x1D50<\/p>\n<\/td>\n

\n

–<\/p>\n<\/td>\n

\n

0x2D06<\/p>\n<\/td>\n

\n

–<\/p>\n<\/td>\n<\/tr>\n

\n

Upload a file to C&C server<\/p>\n<\/td>\n

\n

0x390A<\/p>\n<\/td>\n

\n

0x35C3 & 0x35C4 & 0x3013<\/p>\n<\/td>\n

\n

0x590A<\/p>\n<\/td>\n

\n

0x55C3 & 0x55C4 & 0x5013<\/p>\n<\/td>\n<\/tr>\n

\n

List directories recursively<\/p>\n<\/td>\n

\n

0x390A<\/p>\n<\/td>\n

\n

0x35C5<\/p>\n<\/td>\n

\n

0x590A<\/p>\n<\/td>\n

\n

0x55C5<\/p>\n<\/td>\n<\/tr>\n

\n

Download a file from C&C server<\/p>\n<\/td>\n

\n

0x390A<\/p>\n<\/td>\n

\n

0x35C7 & 0x35C8 & 0x35C9 & 0x3013<\/p>\n<\/td>\n

\n

0x590A<\/p>\n<\/td>\n

\n

0x55C7 & 0x55C8 & 0x55C9 & 0x5013<\/p>\n<\/td>\n<\/tr>\n

\n

Write given data to pipe<\/p>\n<\/td>\n

\n

0x2099<\/p>\n<\/td>\n

\n

0x2186<\/p>\n<\/td>\n

\n

0x3099<\/p>\n<\/td>\n

\n

0x3167<\/p>\n<\/td>\n<\/tr>\n

\n

Write 0x32E0 to pipe<\/p>\n<\/td>\n

\n

0x2099<\/p>\n<\/td>\n

\n

0x220E<\/p>\n<\/td>\n

\n

0x3099<\/p>\n<\/td>\n

\n

0x32E0<\/p>\n<\/td>\n<\/tr>\n

\n

Write 0x38AF to pipe<\/p>\n<\/td>\n

\n

0x2099<\/p>\n<\/td>\n

\n

0x28FA<\/p>\n<\/td>\n

\n

0x3099<\/p>\n<\/td>\n

\n

0x38AF<\/p>\n<\/td>\n<\/tr>\n

\n

Send module data to another module<\/p>\n<\/td>\n

\n

0x2099<\/p>\n<\/td>\n

\n

0x2741<\/p>\n<\/td>\n

\n

0x3099<\/p>\n<\/td>\n

\n

0x3716<\/p>\n<\/td>\n<\/tr>\n

\n

Same as 0x3099<\/p>\n<\/td>\n

\n

0x2099<\/p>\n<\/td>\n

\n

0x2A0B<\/p>\n<\/td>\n

\n

0x3099<\/p>\n<\/td>\n

\n

0x3A0B<\/p>\n<\/td>\n<\/tr>\n

\n

Start TCP server to proxy packets to the C&C server<\/p>\n<\/td>\n

\n

0x2099<\/p>\n<\/td>\n

\n

0x2CBD<\/p>\n<\/td>\n

\n

0x3099<\/p>\n<\/td>\n

\n

0x3CD0<\/p>\n<\/td>\n<\/tr>\n

\n

Delete itself<\/p>\n<\/td>\n

\n

N\/A<\/p>\n<\/td>\n

\n<\/td>\n\n

0x1C1C<\/p>\n<\/td>\n

\n

–<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Table 1. Backdoor commands of Win.NOODLERAT<\/p>\n

The first one, Type 0x03A2, implements most commands except the last one, deleting itself. This type of Win.NOODLERAT was used by Iron Tiger and other unknown clusters for espionage purposes, suggesting that this version could be a shared version.<\/p>\n

The second one, Type 0x132A, implements full features. This type of Win.NOODLERAT was used only by Calypso APT. Therefore, this is likely an exclusive version.<\/p>\n

Interestingly, upon comparing the command IDs, we found that some have similar parts. For instance, the command IDs to upload a file to the C&C server are 0x390A and 0x590A respectively; this similarity might be an indicator of versioning, but there is not enough evidence to conclude such.<\/p>\n

Linux.NOODLERAT<\/span><\/b><\/p>\n

Linux.NOODLERAT is an ELF version of Noodle RAT, but with a different design. This backdoor has been used by several groups with various motivations, such as Rocke (Iron Cybercrime Group) for financial gains<\/a><\/p>\n

Cloud Snooper Campaign for espionage<\/a>, and an unknown cluster also for spying purposes. Since it\u2019s designed differently, its backdoor capabilities are also slightly different:<\/p>\n