Cybersecurity researchers have make clear a brand new distant entry trojan known as NonEuclid that enables unhealthy actors to remotely management compromised Home windows techniques.
“The NonEuclid distant entry trojan (RAT), developed in C#, is a extremely subtle malware providing unauthorised distant entry with superior evasion methods,” Cyfirma stated in a technical evaluation printed final week.
“It employs numerous mechanisms, together with antivirus bypass, privilege escalation, anti-detection, and ransomware encryption focusing on essential recordsdata.”
NonEuclid has been marketed in underground boards since not less than late November 2024, with tutorials and discussions in regards to the malware found on fashionable platforms like Discord and YouTube. This factors to a concerted effort to distribute the malware as a crimeware answer.
At its core, the RAT commences with an initialization part for a shopper software, after which it performs a collection of checks to evade detection previous to establishing a TCP socket for communication with a specified IP and port.
It additionally configures Microsoft Defender Antivirus exclusions to forestall the artifacts from being flagged by the safety software, and retains tabs on processes like “taskmgr.exe,” “processhacker.exe,” and “procexp.exe” which are sometimes used for evaluation and course of administration.
“It makes use of Home windows API calls (CreateToolhelp32Snapshot, Process32First, Process32Next) to enumerate processes and examine if their executable names match the desired targets,” Cyfirma stated. “If a match is discovered, relying on the AntiProcessMode setting, it both kills the method or triggers an exit for the shopper software.”
Among the anti-analysis methods adopted by the malware embrace checks to find out if it is operating in a digital or sandboxed atmosphere, and if discovered to be so, instantly terminate this system. Moreover, it incorporates options to bypass the Home windows Antimalware Scan Interface (AMSI).
Whereas persistence is completed via scheduled duties and Home windows Registry adjustments, NonEuclid additionally makes an attempt to raise privileges by circumventing Consumer Account Management (UAC) protections and execute instructions.
A comparatively unusual function is its skill to encrypt recordsdata matching sure extension sorts (e.g., .CSV, .TXT, and .PHP) and renaming them with the extension “. NonEuclid,” successfully turning into ransomware.
“The NonEuclid RAT exemplifies the growing sophistication of contemporary malware, combining superior stealth mechanisms, anti-detection options, and ransomware capabilities,” Cyfirma stated.
“Its widespread promotion throughout underground boards, Discord servers, and tutorial platforms demonstrates its attraction to cyber-criminals and highlights the challenges in combating such threats. The mixing of options like privilege escalation, AMSI bypass, and course of blocking showcases the malware’s adaptability in evading safety measures.”
