Researchers Expose NonEuclid RAT Using UAC Bypass and AMSI Evasion Techniques
Summary:
Researchers at Cyfirma have discovered a new remote access trojan called NonEuclid, written in C#, which provides attackers with comprehensive control over compromised Windows systems. This sophisticated malware incorporates advanced techniques, including antivirus bypass, privilege escalation, anti-detection mechanisms, and ransomware encryption capabilities targeting critical files. Active since at least November 2024, NonEuclid has been advertised on underground forums and popular platforms like Discord and YouTube, demonstrating a concerted effort to distribute it as a crimeware tool.
NonEuclid operates in multiple stages, starting with the initialization of a client application. It performs various anti-detection checks to ensure it is not running in a virtual machine or sandboxed environment. If such an environment is detected, the malware immediately terminates its execution. To avoid detection by security tools, NonEuclid modifies Microsoft Defender Antivirus exclusions, preventing the malware's artifacts from being flagged. It actively monitors processes, which are commonly used for system analysis. Using Windows API calls (CreateToolhelp32Snapshot, Process32First, Process32Next), it enumerates running processes and, based on its AntiProcessMode settings, either terminates targeted processes or forces the client application to exit.
Security Officer Comments:
A distinguishing feature of NonEuclid is its ransomware functionality. The malware encrypts files with specific extensions, and renames them with the extension ".NonEuclid." This effectively renders the files inaccessible, introducing a ransomware component to its otherwise RAT-focused design. The encryption process leverages strong cryptographic algorithms to ensure the files cannot be recovered without the decryption key.
Communication between the infected system and the attacker's command-and-control server is established via a TCP socket, using a predefined IP address and port. This setup ensures reliable remote control while enabling attackers to execute commands, exfiltrate data, and deploy additional payloads.The malware’s promotion across underground forums and tutorial platforms like Discord and YouTube highlights its accessibility to cybercriminals, increasing its potential for widespread adoption.
Suggested Corrections:
Strategic Recommendations:
Tactical Recommendations:
Operational Recommendations:
Link(s):
https://thehackernews.com/2025/01/researchers-expose-noneuclid-rat-using.html
https://www.cyfirma.com/research/noneuclid-rat/
Researchers at Cyfirma have discovered a new remote access trojan called NonEuclid, written in C#, which provides attackers with comprehensive control over compromised Windows systems. This sophisticated malware incorporates advanced techniques, including antivirus bypass, privilege escalation, anti-detection mechanisms, and ransomware encryption capabilities targeting critical files. Active since at least November 2024, NonEuclid has been advertised on underground forums and popular platforms like Discord and YouTube, demonstrating a concerted effort to distribute it as a crimeware tool.
NonEuclid operates in multiple stages, starting with the initialization of a client application. It performs various anti-detection checks to ensure it is not running in a virtual machine or sandboxed environment. If such an environment is detected, the malware immediately terminates its execution. To avoid detection by security tools, NonEuclid modifies Microsoft Defender Antivirus exclusions, preventing the malware's artifacts from being flagged. It actively monitors processes, which are commonly used for system analysis. Using Windows API calls (CreateToolhelp32Snapshot, Process32First, Process32Next), it enumerates running processes and, based on its AntiProcessMode settings, either terminates targeted processes or forces the client application to exit.
Security Officer Comments:
A distinguishing feature of NonEuclid is its ransomware functionality. The malware encrypts files with specific extensions, and renames them with the extension ".NonEuclid." This effectively renders the files inaccessible, introducing a ransomware component to its otherwise RAT-focused design. The encryption process leverages strong cryptographic algorithms to ensure the files cannot be recovered without the decryption key.
Communication between the infected system and the attacker's command-and-control server is established via a TCP socket, using a predefined IP address and port. This setup ensures reliable remote control while enabling attackers to execute commands, exfiltrate data, and deploy additional payloads.The malware’s promotion across underground forums and tutorial platforms like Discord and YouTube highlights its accessibility to cybercriminals, increasing its potential for widespread adoption.
Suggested Corrections:
Strategic Recommendations:
- Enhance Threat Intelligence Sharing:
- Establish partnerships with external threat intelligence platforms and agencies to stay informed about emerging threats like the NonEuclid RAT. Sharing intelligence within the cybersecurity community helps in early detection and mitigation.
- Invest in Advanced Security Technologies:
- Allocate resources to integrate AI-driven security tools capable of detecting sophisticated evasion techniques, including behavioral analysis, anomaly detection, and memory-based scanning.
Tactical Recommendations:
- Deploy Endpoint Detection and Response (EDR) Solutions:
- Implement EDR solutions to monitor endpoints for suspicious activities like unauthorized registry changes, process injections, and dynamic DLL loading, ensuring rapid containment.
- Strengthen User Awareness Training:
- Conduct regular training programs to educate users about phishing attempts, RAT deployment tactics, and the importance of secure practices, such as not running suspicious executables or sharing credentials.
Operational Recommendations:
- Implement Strict Privilege Management:
- Enforce least-privilege access policies and ensure administrative actions are logged and monitored to prevent privilege escalation attempts by malware.
- Perform Regular Patch Management and Audits:
- Ensure all systems, software, and frameworks are up to date with the latest security patches. Conduct periodic audits to identify and mitigate vulnerabilities that malware could exploit.
Link(s):
https://thehackernews.com/2025/01/researchers-expose-noneuclid-rat-using.html
https://www.cyfirma.com/research/noneuclid-rat/