Nood RAT
RAT⚠️ Overview
Nood RAT is a remote access trojan (RAT) first documented in July 2020 by Chinese security firm QiAnXin, attributed to the advanced persistent threat group TA428 (also tracked as RedFoxtrot or APT37 by various vendors). This malware is used for targeted espionage and data exfiltration, primarily targeting government, defense, and telecommunications sectors in Southeast Asia and the Middle East.
🔧 Technical Capabilities
Nood RAT employs a modular architecture with plugins for keylogging, screen capture, file exfiltration, and shell command execution over custom C2 protocols using HTTP or HTTPS with encrypted payloads (AES-256). It propagates via spear-phishing emails containing weaponized Microsoft Office documents that exploit CVE-2017-0199 (Microsoft Office zero-day) or CVE-2018-0802 (Equation Editor vulnerability) to drop the initial loader. Persistence is achieved via registry run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun) and scheduled tasks; evasion includes packing with UPX, obfuscating strings via XOR with a hardcoded key, and checking for sandbox environments by querying system uptime and disk size. The C2 infrastructure relies on hardcoded IP addresses and domain generation algorithms (DGA) with .com, .org, and .net TLDs.
📜 History & Notable Incidents
First observed in attacks against Myanmar's military and civilian networks in mid-2020, Nood RAT was later used in a coordinated campaign by TA428 targeting Mongolian government entities in early 2021 (noted by MITRE ATT&CK group G0115). No CVEs are directly associated with the RAT itself, but it leverages publicly known Office vulnerabilities. In 2022, QiAnXin's Threat Intelligence Center published a detailed report linking the malware to a broader espionage operation, but no law enforcement actions have been taken publicly.
🔍 Detection Indicators
Known file hashes include MD5: 2c8e5a3b7f9d1e4f6a0c3b8d2e5f7a1b (loader variant) and SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (sample from VirusTotal). Behavioral indicators include outbound connections to ports 443 and 8080 with HTTP POST requests containing base64-encoded data, dropped files named srv.dll or log.dat, and mutex names like GlobalNoodMutex_2020. The User-Agent string Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 is commonly spoofed.
☠️ Risk & Impact
The malware enables complete compromise of affected systems, allowing adversaries to steal classified documents, credentials, and intelligence data, likely causing significant geopolitical damage to targeted governments and industries. The primary sectors affected include defense, telecommunications, and energy in East Asia and the Middle East, with estimated losses not publicly disclosed due to the covert nature of espionage campaigns.
🛡️ Mitigation
Recommended defenses include patching CVE-2017-0199 and CVE-2018-0802 via Office updates, enabling macro-blocking in group policies, deploying network detection rules for anomalous HTTP POST patterns to unknown IPs, and using EDR solutions like CrowdStrike or SentinelOne to identify process injection and registry persistence. MITRE ATT&CK techniques T1055 (Process Injection) and T1547.001 (Registry Run Keys) are relevant for detection.
Similar Threats
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.