The NonEuclid Remote Access Trojan (RAT), a highly sophisticated malware, has been detected, allowing unauthorized remote access via advanced evasion techniques and ransomware encryption of crucial files.
This RAT was created in C# and is optimized for the.NET Framework 4.8. Its limited security checks make it more challenging for security systems to identify and interrupt its operations.
It uses a number of tactics, such as antivirus bypass, privilege escalation, anti-detection, and ransomware encryption targeting critical files.
It has acquired popularity due to features like stealth, dynamic DLL loading, anti-VM checks, and AES encryption capabilities. It was promoted on underground forums and on social networking sites.
The Attack Flow
CYFIRMA reports that the program first establishes settings, delays startup, and ensures administrator rights for certain features. If enabled, the program installs itself and uses mutex control to make sure no duplicate instances are running.
A logger starts asynchronously for monitoring, and sleep-prevention and anti-process blocking features are turned on. Reconnection logic is in place to ensure continuous connections after a client socket is initialized for server communication.
To identify and stop particular target processes, such as “Taskmgr.exe,” “ProcessHacker.exe,” and “procexp.exe,” which are frequently used for process analysis or management, a separate function is called to continually monitor ongoing processes.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
The code defines a method Set that registers an event handler for session ending and marks the current process as critical using the RtlSetProcessIsCritical function, preventing the process from being terminated under certain conditions.
The code also uses DirectShow to list multimedia devices, such as cameras. It uses IEnumMoniker to fetch devices in the designated category after initializing a device enumerator.
The Bypass method aims to run a command and change the Windows registry to bypass certain restrictions. It begins by determining whether the program is operating with administrative rights.
If not, it generates a registry key under CurrentUser that may be used to change execution path-related system settings.
.webp)
The ransomware developer is using AES encryption to lock a variety of file formats, including those with the extensions “.csv,” “.txt,” and “.php.” Each impacted file is renamed with the extension “.NonEuclid” following encryption.
.webp)
The user “NAZZED,” who registered on YouTube on October 15th and currently has 110 subscribers, was studied by researchers.
In addition, he has posted numerous videos explaining how to construct RATs such as the Xworm, Silver RAT, Sheerat, Wizworm RAT, and DC RAT, as well as how to configure a brand-new Ratnik NONEUCLID RAT.
A Discord account has been discovered for the RAT creator, who joined Discord on June 21, 2021, and later formed a server on October 15th. On this server, there have been discussions about different RATs, including the NONEUCLID RAT.
The incorporation of features including privilege escalation, ASMI bypass, and process blocking demonstrates the malware’s versatility in avoiding security measures.
To effectively limit the effects of threats like NonEuclid, proactive security techniques, ongoing monitoring, and knowledge of changing cybercriminal tactics are necessary.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!