While investigating several incidents, we encountered the undocumented Linux-based backdoor, we dubbed “Noodle RAT”. This backdoor shares some part of code with “Rekoobe”, which is a Linux-based backdoor widely used by multiple actors, but implements additional backdoor capabilities with a custom C&C protocol. After further analysis, we figured out that Noodle RAT shares some part of code, including custom C&C protocol, backdoor command IDs and C&C configuration format, with Windows-based backdoor used by Calypso APT and Iron Tiger. Based on these overlaps, we concluded that these backdoors should be categorized as Noodle RAT but different architectures. This means that Noodle RAT is originally designed as a multi-platform backdoor targeting Windows and Linux.

Through this presentation, we will introduce the details of code overlaps between Windows/Linux versions of Noodle RAT, and how Noodle RAT for Linux has evolved from Rekoobe. Adding to that, we will show the possibility of malware development ecosystem in Chinese-speaking actors, including espionage-focused groups, behind Noodle RAT. At last, through the findings of Noodle RAT, we would like to point out that tool-based attribution is getting more challenging.