Analysis of Nood RAT Used in Attacks Against Linux (Gh0st RAT’s Variant)

AhnLab SEcurity intelligence Center (ASEC) recently discovered that Nood RAT is being used in malware attacks. Nood RAT is a variant of Gh0st RAT that works in Linux. Although the number of Gh0st RAT for Linux is fewer compared to Gh0st RAT for Windows, the cases of Gh0st RAT for Linux are continuously being collected. Nood RAT is categorized as a variant of Gh0st RAT based on the code’s similarity with previous codes from Gh0st RAT [1]. A builder used in the latest developments was found, and it was dubbed Nood RAT, because the author named it Nood.
AhnLab 安全情报中心 (ASEC) 最近发现 Nood RAT 被用于恶意软件攻击。 Nood RAT 是在 Linux 上运行的 Gh0st RAT 的变体。尽管与 Windows 的 Gh0st RAT 相比，Linux 的 Gh0st RAT 数量较少，但 Linux 的 Gh0st RAT 案例仍在不断收集。根据代码与 Gh0st RAT 之前代码的相似性，Nood RAT 被归类为 Gh0st RAT 的变体 [1]。找到了最新开发中使用的构建器，并将其命名为Nood RAT，因为作者将其命名为Nood。

Nood RAT has been used in various vulnerability attacks since 2018. Although no specific cases of vulnerability attacks have been found recently, cases are continuously being discovered according to the VirusTotal website. This article highlights malware strains discovered over the last few years and analyzes them along with the builder.
自2018年以来，Nood RAT已被用于各种漏洞攻击。虽然最近没有发现具体的漏洞攻击案例，但根据VirusTotal网站的数据，案例正在不断发现。本文重点介绍了过去几年发现的恶意软件菌株，并与构建者一起对其进行了分析。

1. Overview 1. 概述

Gh0st RAT is a remote control malware developed by the C. Rufus Security Team of China [2] (This link is only available in Korean.) Because its source code is open to the public, malware authors have been developing various variants using this code, and the threat actors have been utilizing the codes in their attacks to this day. Although the source code is open to the public, the code is mainly used by threat actors who speak Chinese.
Gh0st RAT 是由中国 C. Rufus 安全团队开发的远程控制恶意软件 [2]（此链接仅提供韩语版本。）由于其源代码向公众开放，恶意软件作者一直在使用此代码开发各种变体，迄今为止，威胁行为者一直在攻击中使用这些代码。尽管源代码向公众开放，但该代码主要由讲中文的威胁行为者使用。

In the past, ASEC posted an article about the case where Gh0st RAT’s variant Gh0stCringe RAT was distributed to database servers (MS-SQL and MySQL server) [3] and later posted the case where HiddenGh0st—the variant of Gh0st RAT that simultaneously installs a Hidden rootkit—was used in attacks on MS-SQL servers. [4]
过去，ASEC 发布了一篇关于 Gh0st RAT 的变种 Gh0stCringe RAT 分发到数据库服务器（MS-SQL 和 MySQL 服务器）的案例 [3]，随后发布了 HiddenGh0st（Gh0st RAT 的变种同时安装隐藏的 rootkit — 用于攻击 MS-SQL 服务器。 [4]

Although there may be various Linux versions of the malware strains as the source code is open to the public, the Nood RAT variant discussed in this article was first found around 2018. The oldest record of the malware is the case where it was installed via a WebLogic vulnerability (CVE-2017-10271) attack [5], and the case where it was used by the threat actor Rocke to install CoinMiners in their attacks. [6] The malware was also used in the Cloud Snooper APT attack campaign in 2020, where the threat actor installed a backdoor malware in AWS (Amazon.com’s cloud service) servers and hijacked control of the servers. [7]
尽管由于源代码向公众开放，该恶意软件变种可能有各种 Linux 版本，但本文中讨论的 Nood RAT 变种于 2018 年左右首次发现。该恶意软件的最早记录是通过WebLogic 漏洞 (CVE-2017-10271) 攻击 [5]，以及威胁参与者 Rocke 在攻击中使用该漏洞安装 CoinMiners 的情况。 [6] 该恶意软件还被用于 2020 年的 Cloud Snooper APT 攻击活动，威胁行为者在 AWS（亚马逊的云服务）服务器中安装了后门恶意软件并劫持了服务器的控制权。 [7]

2. Analysis of Gh0st RAT for Linux
2. Linux 下的 Gh0st RAT 分析

Nood RAT is developed using the following builder. The compressed file contains a release note, a builder program “NoodMaker.exe”, and a “Nood.exe” which is used to control the backdoor. During the creation of NoodMaker, the threat actor can create x86 or x64 binary based on the architecture and choose and use the binary that fits the target system.
Nood RAT 是使用以下构建器开发的。压缩文件包含发行说明、构建程序“NoodMaker.exe”和用于控制后门的“Nood.exe”。在NoodMaker的创建过程中，威胁行为者可以根据架构创建x86或x64二进制文件，并选择和使用适合目标系统的二进制文件。

Figure 1. Nood RAT builder (A Linux version of Gh0st RAT)
图 1. Nood RAT 构建器（Gh0st RAT 的 Linux 版本）

Nood RAT has a feature that changes its name in order to disguise itself as a legitimate program. The threat actor is able to decide the malware’s fake process name during the development stage. When the malware is launched for the first time it uses the RC4 algorithm to decrypt the encrypted data. The string decrypted here is the name of the process to be changed. Additionally, the configuration data is also encrypted using the RC4 algorithm, and the RC4 key used in the decryption process is the string “r0st@#$”. Note that in Socks proxy and port forwarding communication, the string “VMware#@!Station” is used instead.
Nood RAT 有一个功能，可以更改名称以将自己伪装成合法程序。威胁参与者能够在开发阶段确定恶意软件的虚假进程名称。当恶意软件第一次启动时，它使用 RC4 算法来解密加密数据。这里解密的字符串是要更改的进程的名称。另外，配置数据也使用RC4算法进行加密，解密过程中使用的RC4密钥是字符串“r0st@#$”。请注意，在 Socks 代理和端口转发通信中，使用字符串“VMware#@!Station”。

Figure 2. The feature that changes the process name
图 2. 更改进程名称的功能

After changing its process name, said malware copies and pastes itself into the “/tmp/CCCCCCCC” path, runs it, and deletes the copied file “/tmp/CCCCCCCC.” As such, the running malware takes the form of an executed file “/tmp/CCCCCCCC,” but the file does not exist and the malware is shown as a legitimate process with a fake process name.
更改进程名称后，该恶意软件会将自身复制并粘贴到“/tmp/CCCCCCCC”路径中，运行它，并删除复制的文件“/tmp/CCCCCCCC”。因此，正在运行的恶意软件采用执行文件“/tmp/CCCCCCCC”的形式，但该文件并不存在，并且恶意软件显示为具有虚假进程名称的合法进程。

Figure 3. The changed process name
图 3. 更改后的进程名称

Afterward, the malware decrypts the configuration data which is largely divided into C&C server addresses, date and time of activation, and C&C connection attempt intervals. The threat actor can set the activation date and time at which said malware can communicate with the C&C server and receive commands.
然后，恶意软件解密配置数据，这些数据主要分为 C&C 服务器地址、激活日期和时间以及 C&C 连接尝试间隔。威胁行为者可以设置该恶意软件可以与 C&C 服务器通信并接收命令的激活日期和时间。

• Configuration Data Format: “C&C_Server_1″;”C&C_Server_2″|”Mon”;”Tue”;”Wed”;”Thu”;”Fri”;”Sat”;”Sun”;|”Time”;|”Interval”
  配置数据格式：“C&C_Server_1”;“C&C_Server_2”|“Mon”;“Tue”;“Wed”;“Thu”;“Fri”;“Sat”;“Sun”;|“Time”;|“Interval”

Figure 4. Builder and configuration data
图 4. 构建器和配置数据

When connecting to the C&C server for the first time, Gh0st RAT obtains basic information about the infected system and sends the data. The sent data is encrypted using the RC4 algorithm, and because the key used in the encryption is created based on the current time, it can bypass network packet-based detection.
当第一次连接到C&C服务器时，Gh0st RAT会获取受感染系统的基本信息并发送数据。发送的数据使用RC4算法进行加密，并且由于加密中使用的密钥是根据当前时间创建的，因此可以绕过基于网络数据包的检测。

The first sent data has a size of 0x18 and consists of two hardcoded 4-byte values and four 4-byte values that are created based on the current time. These values are encrypted using the RC4 algorithm and are sent to the server. The keys used to encrypt these values are created using a key called “Key Type 1.”
第一个发送的数据大小为 0x18，由两个硬编码的 4 字节值和四个基于当前时间创建的 4 字节值组成。这些值使用 RC4 算法加密并发送到服务器。用于加密这些值的密钥是使用名为“密钥类型 1”的密钥创建的。

The C&C server is able to use “Key Type 1” to create an RC4 key to decrypt “Key Type 2,” and utilize the RC4 key that was created using “Key Type 2” to decrypt 0x0208-sized data, ultimately obtaining the infected system’s information.

Figure 5. The infected system’s information shown on the C&C panel
图 5. C&C 面板上显示的受感染系统信息

Nood RAT largely supports four features which are: remote shell & file management, Socks proxy, and port forwarding. Through this, threat actors can run malicious commands on infected systems or steal information using file upload and download features. Additionally, threat actors can use infected systems as proxies or use the systems during the lateral movement phase via the port forwarding feature.
Nood RAT 主要支持四种功能：远程 shell 和文件管理、Socks 代理和端口转发。通过这种方式，威胁行为者可以在受感染的系统上运行恶意命令或使用文件上传和下载功能窃取信息。此外，威胁行为者可以使用受感染的系统作为代理，或者在横向移动阶段通过端口转发功能使用这些系统。

Figure 6. Commands supported by Nood RAT

3. Attack Cases

WebLogic vulnerability attacks and Cloud Snooper APT attacks are some of the attacks that used Nood RAT in the past. Nood RAT are still being continuously collected even today, and are also uploaded by the VirusTotal website. Details of attack methods have not yet been uncovered, but it is likely that threat actors are using the malware to control infected systems and steal information from such systems. The following is a table that provides an overview of Nood RATs discovered during the past few years.

4. Conclusion

Various threat actors have been actively using Gh0st RAT to infect not only Windows systems but also its Linux counterpart—developed based on the publicized source code. Among the variants of Gh0st RAT, a Linux variant called Nood continues to be found and collected across nations.

Nood RAT is a backdoor malware that can receive commands from the C&C server to perform malicious activities such as downloading malicious files, stealing systems’ internal files, and executing commands. Although simple in form, it is equipped with the encryption feature to avoid network packet detection and can receive commands from threat actors to carry out multiple malicious activities.

To prevent such security threats, users must check their vulnerable environment configuration or credentials and always update relevant systems to the latest versions. Also, V3 should be updated to the latest version so that malware infection can be prevented.

File Detection
– Linux/Agent.86208 (2029.01.08.00)
–Linux/Agent.86208 (2029.01.08.00)
– Backdoor/Linux.Rekoobe.86144 (2022.06.15.00)
– 后门/Linux.Rekoobe.86144 (2022.06.15.00)
– Backdoor/Linux.Rekoobe.86176 (2022.06.15.00)
– 后门/Linux.Rekoobe.86176 (2022.06.15.00)
– Backdoor/Linux.Rekoobe.83264 (2022.06.15.00)
– 后门/Linux.Rekoobe.83264 (2022.06.15.00)

IoC
MD5
– 035f83018cf96f5e1f6817ccd39fc0b6
– b4910e998cf58da452f8151b71c868cb
– 4f3afdcfff8f7994b7d3d3fbaa6858b4
– a15ebd19cac42b0297858018da62b1be
– c440bd814be37fac669567131c4ba996
– 75838e5d481da40db2e235a6d5a222ef
– 905c2158fadfe31850766f010e149a0f
– 8457f71c6a5fe83bb513d1dfba99271a
– 35743db3dc333245ef5b69100721ced9
– 7d631e5b0c78805dd5d440cce788d25b
– 0a35e06f53c17ab1c8e18e7e0c0821d8
– 97db3f7676380f0baa3840ed5d5c1767
– d9f00f71efabdfcca7c63d4b0805673c

C&C
– 43.156.118[.]72:443
– b.niupilao[.]vip:80
– update.kworker[.]net:443
– check.snapupdate[.]org:80
– 42.51.40[.]184:56
– 13.214.222[.]35:443
– cloud.awsxtd[.]com:443 –cloud.awsxtd[.]com:443
– 43.140.251[.]218:8080
– 101.42.139[.]110:8443
– 101.42.139[.]110:53
– 81.68.143[.]132:1234
– 81.68.143[.]132:8080
– bo.appleupcheck[.]com:443
– 194.36.191[.]75:443
– 1.117.165[.]141:53
– 23.100.88[.]61:53

原文始发于ASEC：Analysis of Nood RAT Used in Attacks Against Linux (Gh0st RAT’s Variant)