In-Memory Malware: Understanding Noodle RAT

Noodle RAT modular backdoor: file transfer, malware execution, self-deletion.

“Unleash the power of Noodle RAT: The versatile backdoor tool for cyber espionage, now utilized by notorious hacking groups worldwide.”

Noodle RAT: The Windows Backdoor Used by Iron Tiger and Calypso Hacking Groups

Noodle RAT, an in-memory modular backdoor, has been making waves in the cybersecurity world as it has been put to use by hacking crews like Iron Tiger and Calypso. This Windows version of the RAT (Remote Access Trojan) is launched via a loader due to its shellcode foundations, and it supports a range of commands that make it a versatile and dangerous tool for cybercriminals.

One of the key features of Noodle RAT is its ability to download and upload files, which allows attackers to extract sensitive data from compromised systems or upload additional types of malware to further their attacks. It can also function as a TCP proxy, enabling attackers to route their traffic through the infected system and evade detection by security systems. Additionally, Noodle RAT has a self-deletion feature, which allows attackers to cover their tracks by removing all traces of the malware from the system once their objectives have been achieved.

To date, at least two different types of loaders have been observed in attacks that have targeted Thailand and India. The MULTIDROP loader has been used in attacks aimed at Thailand, while the MICROLOAD loader has been observed in attacks targeting India. These loaders are responsible for injecting the Noodle RAT shellcode into the memory of the compromised system, allowing the attackers to execute their commands and maintain persistence on the system.

The Linux counterpart of Noodle RAT has also been utilized by different cybercrime and espionage clusters linked to China, including Rocke and Cloud Snooper. These groups have been known to use the Linux version of the RAT to target organizations in various industries, including finance, healthcare, and government. The Linux version of Noodle RAT shares many of the same features as the Windows version, making it just as dangerous and versatile.

The use of Noodle RAT by hacking groups like Iron Tiger and Calypso highlights the growing trend of cybercriminals using in-memory malware to evade detection by traditional security systems. In-memory malware, also known as fileless malware, operates entirely in the memory of the infected system, leaving no traces on the hard drive. This makes it much more difficult for security systems to detect and remove the malware, as there are no files to scan or analyze.

To protect against threats like Noodle RAT, organizations need to adopt a multi-layered approach to cybersecurity that includes both traditional security systems and advanced threat detection and response solutions. This includes implementing endpoint detection and response (EDR) solutions that can detect and respond to in-memory threats in real-time, as well as network security solutions that can identify and block malicious traffic.

Noodle RAT is a powerful and versatile backdoor that has been put to use by hacking groups like Iron Tiger and Calypso. Its ability to download and upload files, function as a TCP proxy, and delete itself makes it a dangerous tool for cybercriminals. Organizations need to be aware of the threat posed by in-memory malware like Noodle RAT and take steps to protect themselves against these types of attacks.