NonEuclid RAT: Unveiling a New, Sophisticated Threat That Combines Stealth and Ransomware

Executive Summary: A New Level of Evasion

A highly sophisticated Remote Access Trojan (RAT) named NonEuclid has emerged, distinguishing itself through advanced stealth mechanisms, anti-detection features, and built-in ransomware capabilities. Developed in C# and built for the .NET Framework 4.8, NonEuclid is designed to execute with minimal security checks, enabling unauthorized remote access and control over compromised Windows systems.

The malware's popularity is growing within the cybercriminal community due to its key features, including AES encryption, anti-VM checks, and dynamic DLL loading.

Technical Analysis: How NonEuclid RAT Operates

NonEuclid RAT is designed to secure persistence and maintain covert control over an infected system through a multi-stage process of initialization, evasion, and malicious actions.

Initial Execution and Defense Evasion

The malware's initial steps are focused on stealth and bypassing defenses.

• Initialization and Delay: The program starts with a configured delay and initializes application settings, exiting if the settings fail to load.
• Security Checks: It performs anti-defender scans, checks for administrative privileges, and enables critical process handling (BSOD).
• AntiScan Method: This fuction actively bypasses Windows Defender by adding exclusions to the Defender registry settings for its server file, a watchdog folder, and the current process's executable.
• Process Blocking: The Anti Process Block method continuously monitors and terminates known analysis tools like "Taskmgr.exe", "ProcessHacker.exe", and "procexp.exe".
• Critical Process: The malware can mark its own process as "critical" using the RtlSetProcessIsCritical function, which prevents the process from being terminated under certain conditions.
• Anti-VM/Sandbox Check: The RunAntiAnalysis method detects virtual machine (VM) environments by querying system information (specifically Win32_CacheMemory). If a VM is detected, the program terminates itself with an exit code of 240.
• AMSI Bypass: It uses memory patching on the "amsi.dll" module, specifically targeting the AmsiScanBuffer function, to evade Windows Defender's Antimalware Scan Interface (AMSI).

Persistence and Remote Control

To ensure long-term access, the RAT employs several persistence and communication methods:

• Dropped Files and Persistence: Upon execution, the malware drops two executable files in different folders. These files are configured to run automatically via the Task Scheduler (schtasks), ensuring persistence even after a system reboot. The scheduled task runs at specified minute intervals, with the command window hidden and output suppressed.
• Socket Communication: A client socket is initialized with reconnection logic to continuously maintain connectivity with the Command and Control (C2) server. The initial connection sets up a TCP socket, and if successful, configures timers for keep-alive and pong packets for server data reading.
• Privilege Escalation (UAC Bypass): The Bypass method attempts to modify the Windows Registry and execute a command to circumvent User Account Control (UAC) restrictions.
• Dynamic DLL Loading: It can dynamically invoke Windows API functions using their DLL and function names (e.g., for NtProtectVirtualMemory), which is a technique used to maintain flexibility and stealth.
• Registry Persistence: The HKCU method is used to update a registry key under HKEY_CURRENT_USER to store a given name, a common method for achieving persistence.

Destructive Capability: Ransomware

NonEuclid is a dangerous blend of a RAT and ransomware:

• AES Encryption: The malware utilizes AES encryption to lock various file types, including .csv, .txt, and .php.
• File Renaming: After successful encryption, all affected files are renamed with the appended extension .NonEuclid.

Malicious Backdoor Commands and Information Gathering

The RAT provides unauthorized remote access and control. Specific capabilities include:

• Camera Access: The code enumerates multimedia devices, such as cameras, using DirectShow.
• Credential Theft: The RAT includes capabilities to steal wallet passwords, cookies, Discord tokens, VPN, and Telegram information.

MITRE ATT&CK Mapping

The following MITRE ATT&CK techniques have been mapped to the NonEuclid RAT's observed capabilities:

Recommendations for Mitigation

Addressing threats like the NonEuclid RAT requires a multi-layered and proactive defense strategy.

• Implement EDR Solutions: Deploy Endpoint Detection and Response (EDR) solutions to monitor for suspicious activity, such as unauthorized registry changes, process injections, and dynamic DLL loading.
• Enforce Strict Privilege Management: Adhere to the principle of least-privilege access, ensuring all administrative actions are logged and monitored to detect and prevent privilege escalation attempts.
• Enhance Antivirus & Patch Management: Ensure all systems and security tools, including antivirus and intrusion detection systems, are fully updated. Conduct regular audits to mitigate vulnerabilities.
• Block Known Indicators: Use a threat intelligence platform to block the file hashes associated with this malware:
  • SHA-256 (NonEuclid.exe): d32585b207fd3e2ce87dc2ea33890a445d68a4001ea923daa750d32b5de52bf0
  • SHA-256 (Client.exe): e1f19a2bc3ce5153e8dfe2f630cc43d6695fac73f5aaa59cd96dc214ca81c2b0
• User Awareness: Conduct regular training to educate users about phishing and the risks of running suspicious executables.

The NonEuclid RAT is a prime example of the evolving complexity of modern malware, successfully combining advanced stealth tactics with the destructive capabilities of ransomware. Its widespread promotion underscores the ongoing need for continuous threat intelligence sharing and robust, adaptive security measures to effectively combat these threats.