Nood RAT Attacking Linux Servers To Steal Sensitive Data

Nood RAT was recently found to be utilized in malware attacks targeting Linux servers to steal sensitive information.

A Linux-compatible variant of Gh0st RAT is called Nood RAT. Gh0st RAT for Linux cases is constantly being obtained, even though it is less frequent than Gh0st RAT for Windows.

In particular, Nood RAT is a backdoor malware that may carry out malicious operations such as downloading malicious files, stealing internal system files, and executing commands. 

Though its form is simple, it may receive commands from threat actors to perform various harmful operations. It is equipped with an encryption function to evade network packet identification.

You can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox, and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.

Highlights Of The Malware Strains

AhnLab SEcurity Intelligence Center (ASEC) reported that with Nood RAT, the compressed file includes a building program called “NoodMaker.exe,” a release note, and a backdoor control program called “Nood.exe.”

Live Account Takeover Attack Simulation

How do Hackers Bypass 2FA?

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks .

The threat actor can choose and use the x86 or x64 binary that matches the target system while creating NoodMaker, depending on the architecture.

Nood RAT builder 

One of Nood RAT’s features allows it to pretend to be its name as an authentic program. The threat actor can choose the malware’s fake process name during the development phase.

The malware uses the RC4 algorithm to decrypt the encrypted data when it first starts. This string, decrypted, contains the name of the process that has to be modified.

“The malware decrypts the configuration data largely divided into C&C server addresses, date and time of activation, and C&C connection attempt intervals.

The threat actor can set the activation date and time at which said malware can communicate with the C&C server and receive commands”, ASEC researchers shared with Cyber Security News.

Infected system’s information sent to the C&C server

The four main functions that Nood RAT supports are port forwarding, Socks proxy, remote shell, file management, and remote shell.

Threat actors can use this to upload and download files, perform malicious commands on compromised systems, and steal data.

The Chinese C. Rufus Security Team is the developer of the remote control malware known as Gh0st RAT.

Since its source code is available to the public, threat actors have continued to use the codes in their attacks, and malware developers have been exploiting it to create a variety of variations. 

Some of the previous attacks that used Nood RAT were WebLogic vulnerability attacks (CVE-2017-10271) and Cloud Snooper APT attacks in 2020.

Users should always upgrade relevant systems to the most recent versions and examine their credentials or environment configuration to prevent such security concerns.

CyberXtron disclosed the Indicators of Compromise (IoC) information.

Additionally, V3 needs to be updated to the most recent version to avoid malware infection.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.