Cybersecurity researchers have make clear a brand new distant entry trojan known as NonEuclid that permits unhealthy actors to remotely management compromised Home windows methods.
“The NonEuclid remote access trojan (RAT), developed in C#, is a highly sophisticated malware offering unauthorised remote access with advanced evasion techniques,” Cyfirma stated in a technical evaluation revealed final week.
“It employs various mechanisms, including antivirus bypass, privilege escalation, anti-detection, and ransomware encryption targeting critical files.”
NonEuclid has been marketed in underground boards since at the very least late November 2024, with tutorials and discussions in regards to the malware found on fashionable platforms like Discord and YouTube. This factors to a concerted effort to distribute the malware as a crimeware answer.
At its core, the RAT commences with an initialization section for a consumer utility, after which it performs a sequence of checks to evade detection previous to organising a TCP socket for communication with a specified IP and port.
It additionally configures Microsoft Defender Antivirus exclusions to stop the artifacts from being flagged by the safety software, and retains tabs on processes like “taskmgr.exe,” “processhacker.exe,” and “procexp.exe” which are sometimes used for evaluation and course of administration.
“It uses Windows API calls (CreateToolhelp32Snapshot, Process32First, Process32Next) to enumerate processes and check if their executable names match the specified targets,” Cyfirma stated. “If a match is found, depending on the AntiProcessMode setting, it either kills the process or triggers an exit for the client application.”
Among the anti-analysis methods adopted by the malware embrace checks to find out if it is working in a digital or sandboxed setting, and if discovered to be so, instantly terminate this system. Moreover, it incorporates options to bypass the Home windows Antimalware Scan Interface (AMSI).
Whereas persistence is achieved by way of scheduled duties and Home windows Registry adjustments, NonEuclid additionally makes an attempt to raise privileges by circumventing Person Account Management (UAC) protections and execute instructions.
A comparatively unusual function is its capacity to encrypt recordsdata matching sure extension varieties (e.g., .CSV, .TXT, and .PHP) and renaming them with the extension “. NonEuclid,” successfully turning into ransomware.
“The NonEuclid RAT exemplifies the increasing sophistication of modern malware, combining advanced stealth mechanisms, anti-detection features, and ransomware capabilities,” Cyfirma stated.
“Its widespread promotion across underground forums, Discord servers, and tutorial platforms demonstrates its appeal to cyber-criminals and highlights the challenges in combating such threats. The integration of features like privilege escalation, AMSI bypass, and process blocking showcases the malware’s adaptability in evading security measures.”
