{
	"id": "160dcc7c-d8fc-44c2-b09b-d32652bbe759",
	"created_at": "2026-04-06T00:07:00.770081Z",
	"updated_at": "2026-04-10T03:28:24.277885Z",
	"deleted_at": null,
	"sha1_hash": "99f535f1944bf1f2a552c7e4f5f3ef95d8cf71fa",
	"title": "Analysis of Nood RAT Used in Attacks Against Linux (Gh0st RAT’s Variant) - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 967410,
	"plain_text": "Analysis of Nood RAT Used in Attacks Against Linux (Gh0st RAT’s\r\nVariant) - ASEC\r\nBy ATCP\r\nPublished: 2024-02-18 · Archived: 2026-04-02 12:31:18 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) recently discovered that Nood RAT is being used in malware attacks. Nood\r\nRAT is a variant of Gh0st RAT that works in Linux. Although the number of Gh0st RAT for Linux is fewer compared to\r\nGh0st RAT for Windows, the cases of Gh0st RAT for Linux are continuously being collected. Nood RAT is categorized as a\r\nvariant of Gh0st RAT based on the code’s similarity with previous codes from Gh0st RAT [1]. A builder used in the latest\r\ndevelopments was found, and it was dubbed Nood RAT, because the author named it Nood.\r\nNood RAT has been used in various vulnerability attacks since 2018. Although no specific cases of vulnerability attacks\r\nhave been found recently, cases are continuously being discovered according to the VirusTotal website. This article\r\nhighlights malware strains discovered over the last few years and analyzes them along with the builder.\r\n1. Overview\r\nGh0st RAT is a remote control malware developed by the C. Rufus Security Team of China [2] (This link is only available in\r\nKorean.) Because its source code is open to the public, malware authors have been developing various variants using this\r\ncode, and the threat actors have been utilizing the codes in their attacks to this day. Although the source code is open to the\r\npublic, the code is mainly used by threat actors who speak Chinese.\r\nIn the past, ASEC posted an article about the case where Gh0st RAT’s variant Gh0stCringe RAT was distributed to database\r\nservers (MS-SQL and MySQL server) [3] and later posted the case where HiddenGh0st—the variant of Gh0st RAT that\r\nsimultaneously installs a Hidden rootkit—was used in attacks on MS-SQL servers. [4]\r\nAlthough there may be various Linux versions of the malware strains as the source code is open to the public, the Nood RAT\r\nvariant discussed in this article was first found around 2018. The oldest record of the malware is the case where it was\r\ninstalled via a WebLogic vulnerability (CVE-2017-10271) attack [5], and the case where it was used by the threat actor\r\nRocke to install CoinMiners in their attacks. [6] The malware was also used in the Cloud Snooper APT attack campaign in\r\n2020, where the threat actor installed a backdoor malware in AWS (Amazon.com’s cloud service) servers and hijacked\r\ncontrol of the servers. [7]\r\nNood RAT is developed using the following builder. The compressed file contains a release note, a builder program\r\n“NoodMaker.exe”, and a “Nood.exe” which is used to control the backdoor. During the creation of NoodMaker, the threat\r\nactor can create x86 or x64 binary based on the architecture and choose and use the binary that fits the target system.\r\nhttps://asec.ahnlab.com/en/62144/\r\nPage 1 of 7\n\nFigure 1. Nood RAT builder (A Linux version of Gh0st RAT)\r\nNood RAT has a feature that changes its name in order to disguise itself as a legitimate program. The threat actor is able to\r\ndecide the malware’s fake process name during the development stage. When the malware is launched for the first time it\r\nuses the RC4 algorithm to decrypt the encrypted data. The string decrypted here is the name of the process to be changed.\r\nAdditionally, the configuration data is also encrypted using the RC4 algorithm, and the RC4 key used in the decryption\r\nprocess is the string “r0st@#$”. Note that in Socks proxy and port forwarding communication, the string\r\n“VMware#@!Station” is used instead.\r\nFigure 2. The feature that changes the process name\r\nhttps://asec.ahnlab.com/en/62144/\r\nPage 2 of 7\n\nAfter changing its process name, said malware copies and pastes itself into the “/tmp/CCCCCCCC” path, runs it, and deletes\r\nthe copied file “/tmp/CCCCCCCC.” As such, the running malware takes the form of an executed file “/tmp/CCCCCCCC,”\r\nbut the file does not exist and the malware is shown as a legitimate process with a fake process name.\r\nFigure 3. The changed process name\r\nAfterward, the malware decrypts the configuration data which is largely divided into C\u0026C server addresses, date and time of\r\nactivation, and C\u0026C connection attempt intervals. The threat actor can set the activation date and time at which said\r\nmalware can communicate with the C\u0026C server and receive commands.\r\nConfiguration Data Format:\r\n“C\u0026C_Server_1″;”C\u0026C_Server_2″|”Mon”;”Tue”;”Wed”;”Thu”;”Fri”;”Sat”;”Sun”;|”Time”;|”Interval”\r\nFigure 4. Builder and configuration data\r\nWhen connecting to the C\u0026C server for the first time, Gh0st RAT obtains basic information about the infected system and\r\nsends the data. The sent data is encrypted using the RC4 algorithm, and because the key used in the encryption is created\r\nbased on the current time, it can bypass network packet-based detection.\r\nOffset Size Data\r\n0x0000 0x0018 “Key Type 2” (encrypted with Key Type 1)\r\n0x0018 0x0004 “Key Type 1”\r\nhttps://asec.ahnlab.com/en/62144/\r\nPage 3 of 7\n\nOffset Size Data\r\n0x001C 0x0208 Infected system’s information (encrypted with Key Type 2)\r\nTable 1. Data sent to C\u0026C server\r\nThe first sent data has a size of 0x18 and consists of two hardcoded 4-byte values and four 4-byte values that are created\r\nbased on the current time. These values are encrypted using the RC4 algorithm and are sent to the server. The keys used to\r\nencrypt these values are created using a key called “Key Type 1.”\r\nOffset Size Data\r\n0x00 0x04 Created 4-byte key #1\r\n0x04 0x04 Created 4-byte key #2\r\n0x08 0x04 Created 4-byte key #3\r\n0x0C 0x04 0x00009F72\r\n0x10 0x04 Created 4-byte key #4\r\n0x14 0x04 0x000002E9\r\nTable 2. Encrypted key data\r\nThe C\u0026C server is able to use “Key Type 1” to create an RC4 key to decrypt “Key Type 2,” and utilize the RC4 key that\r\nwas created using “Key Type 2” to decrypt 0x0208-sized data, ultimately obtaining the infected system’s information.\r\nOffset Type Data\r\n0x0000 String Login banner string (the file content of “/etc/issue.net” or “/etc/issue”)\r\n0x0100 Flag Whether the login banner string data was obtained (0x01 / 0x00)\r\n0x0101 Flag Whether the keyword x86_64 exists in the “/proc/version” architecture (0x01 / 0x00)\r\n0x0102 String Host name\r\n0x0202 Flag Whether the host name was obtained (0x01 / 0x00)\r\n0x0203 Hex The hexadecimal value of the IP address\r\n0x0207 Flag Whether the IP address was obtained (0x01 / 0x00)\r\nTable 3. The infected system’s information sent to the C\u0026C server\r\nFigure 5. The infected system’s information shown on the C\u0026C panel\r\nhttps://asec.ahnlab.com/en/62144/\r\nPage 4 of 7\n\nNood RAT largely supports four features which are: remote shell \u0026 file management, Socks proxy, and port forwarding.\r\nThrough this, threat actors can run malicious commands on infected systems or steal information using file upload and\r\ndownload features. Additionally, threat actors can use infected systems as proxies or use the systems during the lateral\r\nmovement phase via the port forwarding feature.\r\nFigure 6. Commands supported by Nood RAT\r\n3. Attack Cases\r\nWebLogic vulnerability attacks and Cloud Snooper APT attacks are some of the attacks that used Nood RAT in the past.\r\nNood RAT are still being continuously collected even today, and are also uploaded by the VirusTotal website. Details of\r\nattack methods have not yet been uncovered, but it is likely that threat actors are using the malware to control infected\r\nsystems and steal information from such systems. The following is a table that provides an overview of Nood RATs\r\ndiscovered during the past few years.\r\nDate of\r\nCollection\r\nCountry Name\r\nDisguised\r\nProcess\r\nConfiguration Data\r\n240130 KR AliDunYun /usr/bin/ssh\r\n43.156.118[.]72:443;43.156.118.72:443;|\r\n1;1;1;1;1;1;1;|00-24;|1\r\n240116 HK pki.rar /usr/bin/ssh b.niupilao[.]vip:80;|1;1;1;1;1;1;1;|00-24;|1\r\n231028 PH x.uu [kworker/0:0]\r\nupdate.kworker[.]net:443;check.snapupdate[.]org:80\r\n1;1;1;1;1;1;1;|00-24;|1\r\n231027 CN nginx /usr/bin/ssh 42.51.40[.]184:56;|1;1;1;1;1;1;1;|00-24;|1\r\n230907 RU MFWzS4YNXpQd [kworker/2:0] 13.214.222[.]35:443;|1;1;1;1;1;1;1;|00-24;|1\r\nhttps://asec.ahnlab.com/en/62144/\r\nPage 5 of 7\n\nDate of\r\nCollection\r\nCountry Name\r\nDisguised\r\nProcess\r\nConfiguration Data\r\n221013 HK hsperf kworker cloud.awsxtd[.]com:443;|1;1;1;1;1;1;1;|00-24;|3\r\n220911 RU adyagent /usr/bin/ssh 43.140.251[.]218:8080;|1;1;1;1;1;1;1;|00-24;|1\r\n220726 CN update /usr/bin/ssh\r\n101.42.139[.]110:8443;101.42.139[.]110:53;|\r\n1;1;1;1;1;1;1;|00-24;|1\r\n220113 CN update /usr/bin/ssh\r\n81.68.143[.]132:1234;81.68.143[.]132:8080;|\r\n1;1;1;1;1;1;1;|00-24;|1\r\n211213 VN bo /usr/bin/ssh\r\nbo.appleupcheck[.]com:443;\r\n|1;1;1;1;1;1;1;|00-24;|1\r\n210921 PK N/A /usr/sbin/xfs_srv 194.36.191[.]75:443;|1;1;1;1;1;1;1;|00-24;|1\r\n210601 CN titan.bin /usr/bin/ssh\r\n1.117.165[.]141:53;1.117.165[.]141:53;|\r\n1;1;1;1;1;1;1;|00-24;|1\r\n210403 CN N/A /sbin/auditd 23.100.88[.]61:53;|1;1;1;1;1;1;1;|00-24;|10\r\nTable 4. Nood RAT malware\r\n4. Conclusion\r\nVarious threat actors have been actively using Gh0st RAT to infect not only Windows systems but also its Linux counterpart\r\n—developed based on the publicized source code. Among the variants of Gh0st RAT, a Linux variant called Nood continues\r\nto be found and collected across nations.\r\nNood RAT is a backdoor malware that can receive commands from the C\u0026C server to perform malicious activities such as\r\ndownloading malicious files, stealing systems’ internal files, and executing commands. Although simple in form, it is\r\nequipped with the encryption feature to avoid network packet detection and can receive commands from threat actors to\r\ncarry out multiple malicious activities.\r\nTo prevent such security threats, users must check their vulnerable environment configuration or credentials and always\r\nupdate relevant systems to the latest versions. Also, V3 should be updated to the latest version so that malware infection can\r\nbe prevented.\r\nFile Detection\r\n– Linux/Agent.86208 (2029.01.08.00)\r\n– Backdoor/Linux.Rekoobe.86144 (2022.06.15.00)\r\n– Backdoor/Linux.Rekoobe.86176 (2022.06.15.00)\r\n– Backdoor/Linux.Rekoobe.83264 (2022.06.15.00)\r\nMD5\r\n035f83018cf96f5e1f6817ccd39fc0b6\r\n0a35e06f53c17ab1c8e18e7e0c0821d8\r\n35743db3dc333245ef5b69100721ced9\r\n4f3afdcfff8f7994b7d3d3fbaa6858b4\r\nhttps://asec.ahnlab.com/en/62144/\r\nPage 6 of 7\n\n75838e5d481da40db2e235a6d5a222ef\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//1[.]117[.]165[.]141[:]53/\r\nhttp[:]//101[.]42[.]139[.]110[:]53/\r\nhttp[:]//101[.]42[.]139[.]110[:]8443/\r\nhttp[:]//23[.]100[.]88[.]61[:]53/\r\nhttp[:]//42[.]51[.]40[.]184[:]56/\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner\r\nbelow.\r\nSource: https://asec.ahnlab.com/en/62144/\r\nhttps://asec.ahnlab.com/en/62144/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://asec.ahnlab.com/en/62144/"
	],
	"report_names": [
		"62144"
	],
	"threat_actors": [
		{
			"id": "7c053836-8f50-4d40-bc5c-7088967e1b57",
			"created_at": "2022-10-25T16:07:24.549525Z",
			"updated_at": "2026-04-10T02:00:05.03048Z",
			"deleted_at": null,
			"main_name": "Rocke",
			"aliases": [
				"Aged Libra",
				"G0106",
				"Iron Group",
				"Rocke"
			],
			"source_name": "ETDA:Rocke",
			"tools": [
				"Godlua",
				"Kerberods",
				"LSD",
				"Pro-Ocean",
				"Xbash"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "905eabd9-2b7f-483d-86bd-0c72f96b4162",
			"created_at": "2023-01-06T13:46:39.02749Z",
			"updated_at": "2026-04-10T02:00:03.185957Z",
			"deleted_at": null,
			"main_name": "Rocke",
			"aliases": [
				"Aged Libra"
			],
			"source_name": "MISPGALAXY:Rocke",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "0b02af5f-2027-42b7-a6f2-51e2fd49ba7f",
			"created_at": "2022-10-25T15:50:23.360509Z",
			"updated_at": "2026-04-10T02:00:05.337702Z",
			"deleted_at": null,
			"main_name": "Rocke",
			"aliases": [
				"Rocke"
			],
			"source_name": "MITRE:Rocke",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434020,
	"ts_updated_at": 1775791704,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/99f535f1944bf1f2a552c7e4f5f3ef95d8cf71fa.pdf",
		"text": "https://archive.orkl.eu/99f535f1944bf1f2a552c7e4f5f3ef95d8cf71fa.txt",
		"img": "https://archive.orkl.eu/99f535f1944bf1f2a552c7e4f5f3ef95d8cf71fa.jpg"
	}
}