Cybersecurity researchers have shed light on a new remote access trojan called NonEuclid that allows bad actors to remotely control compromised Windows systems.
“The NonEuclid remote access trojan (RAT), developed in C#, is a highly sophisticated malware offering unauthorised remote access with advanced evasion techniques,” Cyfirma said in a technical analysis published last week.
“It employs various mechanisms, including antivirus bypass, privilege escalation, anti-detection, and ransomware encryption targeting critical files.”
NonEuclid has been advertised in underground forums since at least late November 2024, with tutorials and discussions about the malware discovered on popular platforms like Discord and YouTube. This points to a concerted effort to distribute the malware as a crimeware solution.
At its core, the RAT commences with an initialization phase for a client application, after which it performs a series of checks to evade detection prior to setting up a TCP socket for communication with a specified IP and port.
It also configures Microsoft Defender Antivirus exclusions to prevent the artifacts from being flagged by the security tool, and keeps tabs on processes like “taskmgr.exe,” “processhacker.exe,” and “procexp.exe” which are often used for analysis and process management.
“It uses Windows API calls (CreateToolhelp32Snapshot, Process32First, Process32Next) to enumerate processes and check if their executable names match the specified targets,” Cyfirma said. “If a match is found, depending on the AntiProcessMode setting, it either kills the process or triggers an exit for the client application.”
Some of the anti-analysis techniques adopted by the malware include checks to determine if it’s running in a virtual or sandboxed environment, and if found to be so, immediately terminate the program. Furthermore, it incorporates features to bypass the Windows Antimalware Scan Interface (AMSI).
While persistence is accomplished by means of scheduled tasks and Windows Registry changes, NonEuclid also attempts to elevate privileges by circumventing User Account Control (UAC) protections and execute commands.
A relatively uncommon feature is its ability to encrypt files matching certain extension types (e.g., .CSV, .TXT, and .PHP) and renaming them with the extension “. NonEuclid,” effectively turning into ransomware.
“The NonEuclid RAT exemplifies the increasing sophistication of modern malware, combining advanced stealth mechanisms, anti-detection features, and ransomware capabilities,” Cyfirma said.
“Its widespread promotion across underground forums, Discord servers, and tutorial platforms demonstrates its appeal to cyber-criminals and highlights the challenges in combating such threats. The integration of features like privilege escalation, AMSI bypass, and process blocking showcases the malware’s adaptability in evading security measures.”
