Ethical Hacking News
Researchers have discovered a new remote access trojan called NonEuclid that allows bad actors to remotely control compromised Windows systems. The malware boasts advanced evasion techniques, including UAC bypass and AMSI evasion.
The NonEuclid RAT is a highly sophisticated malware offering unauthorized remote access with advanced evasion techniques. The malware bypasses various security measures, including antivirus software and Windows Defender Antivirus exclusions. The NonEuclid RAT provides unauthorized remote access to compromised Windows systems, allowing bad actors to execute commands and control the affected machines. The malware has been promoted through popular platforms like Discord and YouTube, where tutorials and discussions about its features have been discovered. The malware configures Microsoft Defender Antivirus exclusions to prevent its artifacts from being flagged by the security tool. The NonEuclid RAT uses Windows API calls to enumerate processes and check if their executable names match the specified targets. The malware incorporates features to bypass the Windows Antimalware Scan Interface (AMSI), demonstrating its adaptability in evading security measures. The discovery of NonEuclid highlights the increasing sophistication of modern malware, combining advanced stealth mechanisms and ransomware capabilities.
The cyber threat landscape continues to evolve at an alarming rate, with new types of malware emerging to challenge the security measures of even the most seasoned experts. In recent times, researchers have shed light on a highly sophisticated remote access trojan (RAT) called NonEuclid, which has been garnering significant attention from cybersecurity professionals and enthusiasts alike.
According to a technical analysis published by Cyfirma, the developers of NonEuclid, this malware is "a highly sophisticated malware offering unauthorised remote access with advanced evasion techniques." The RAT, developed in C#, has been designed to bypass various security measures, including antivirus software and Windows Defender Antivirus exclusions. Its primary function is to provide unauthorized remote access to compromised Windows systems, allowing bad actors to execute commands and control the affected machines.
The NonEuclid malware's development is shrouded in mystery, but its presence on underground forums since late November 2024 suggests a concerted effort to distribute it as a crimeware solution. The malware has been promoted through various channels, including popular platforms like Discord and YouTube, where tutorials and discussions about its features have been discovered.
At its core, the NonEuclid RAT commences with an initialization phase for a client application, which is followed by a series of checks to evade detection prior to setting up a TCP socket for communication with a specified IP and port. This initial phase is critical in assessing the malware's capabilities and understanding how it attempts to bypass security measures.
The malware configures Microsoft Defender Antivirus exclusions to prevent its artifacts from being flagged by the security tool, demonstrating its advanced evasion techniques. Furthermore, it keeps tabs on processes like "taskmgr.exe," "processhacker.exe," and "procexp.exe" which are often used for analysis and process management.
Cyfirma has highlighted that NonEuclid uses Windows API calls (CreateToolhelp32Snapshot, Process32First, Process32Next) to enumerate processes and check if their executable names match the specified targets. If a match is found, depending on the AntiProcessMode setting, it either kills the process or triggers an exit for the client application.
Some of the anti-analysis techniques adopted by NonEuclid include checks to determine if it's running in a virtual or sandboxed environment, and if found to be so, immediately terminate the program. The malware also incorporates features to bypass the Windows Antimalware Scan Interface (AMSI), demonstrating its adaptability in evading security measures.
Persistence is accomplished by means of scheduled tasks and Windows Registry changes, while NonEuclid also attempts to elevate privileges by circumventing User Account Control (UAC) protections. A relatively uncommon feature of the malware is its ability to encrypt files matching certain extension types (e.g., .CSV, .TXT, and .PHP) and renaming them with the extension ". NonEuclid," effectively turning into ransomware.
The discovery of NonEuclid highlights the increasing sophistication of modern malware, combining advanced stealth mechanisms, anti-detection features, and ransomware capabilities. Its widespread promotion across underground forums, Discord servers, and tutorial platforms demonstrates its appeal to cyber-criminals and underscores the challenges in combating such threats.
"Its widespread promotion across underground forums, Discord servers, and tutorial platforms demonstrates its appeal to cyber-criminals and highlights the challenges in combating such threats," Cyfirma stated. "The integration of features like privilege escalation, AMSI bypass, and process blocking showcases the malware's adaptability in evading security measures."
In conclusion, the NonEuclid RAT serves as a stark reminder of the evolving nature of modern cybersecurity threats. Its advanced evasion techniques, anti-detection capabilities, and ransomware functionalities underscore the need for robust security measures to protect against such threats.
Related Information:
https://thehackernews.com/2025/01/researchers-expose-noneuclid-rat-using.html
https://healsecurity.com/researchers-expose-noneuclid-rat-using-uac-bypass-and-amsi-evasion-techniques/
Published: Wed Jan 8 09:28:08 2025 by llama3.2 3B Q4_K_M
