NonEuclid Remote Access Trojan (RAT) Threatens Windows Systems

Introduction

Cybersecurity researchers have shed light on a new remote access trojan called NonEuclid that allows bad actors to remotely control compromised Windows systems.

Characteristics of NonEuclid

The NonEuclid remote access trojan (RAT), developed in C#, is a highly sophisticated malware offering unauthorised remote access with advanced evasion techniques. It employs various mechanisms, including antivirus bypass, privilege escalation, anti-detection, and ransomware encryption targeting critical files.

Distribution and Promotion

NonEuclid has been advertised in underground forums since at least late November 2024, with tutorials and discussions about the malware discovered on popular platforms like Discord and YouTube. This points to a concerted effort to distribute the malware as a crimeware solution.

Evasion Techniques

At its core, the RAT commences with an initialization phase for a client application, after which it performs a series of checks to evade detection prior to setting up a TCP socket for communication with a specified IP and port. It also configures Microsoft Defender Antivirus exclusions to prevent the artifacts from being flagged by the security tool, and keeps tabs on processes like "taskmgr.exe," "processhacker.exe," and "procexp.exe" which are often used for analysis and process management.

Anti-Analysis Techniques

Some of the anti-analysis techniques adopted by the malware include checks to determine if it’s running in a virtual or sandboxed environment, and if found to be so, immediately terminate the program. Furthermore, it incorporates features to bypass the Windows Antimalware Scan Interface (AMSI).

Persistence and Privilege Escalation

While persistence is accomplished by means of scheduled tasks and Windows Registry changes, NonEuclid also attempts to elevate privileges by circumventing User Account Control (UAC) protections and execute commands.

Ransomware Capabilities

A relatively uncommon feature is its ability to encrypt files matching certain extension types (e.g., .CSV, .TXT, and .PHP) and renaming them with the extension ". NonEuclid," effectively turning into ransomware.

Conclusion

The NonEuclid RAT exemplifies the increasing sophistication of modern malware, combining advanced stealth mechanisms, anti-detection features, and ransomware capabilities. Its widespread promotion across underground forums, Discord servers, and tutorial platforms demonstrates its appeal to cyber-criminals and highlights the challenges in combating such threats. The integration of features like privilege escalation, AMSI bypass, and process blocking showcases the malware’s adaptability in evading security measures.

Stay Informed

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.