Cybersecurity researchers have identified a sophisticated threat known as NonEuclid, a remote access trojan (RAT) allowing malicious actors to hijack Windows computers. Developed in C#, NonEuclid incorporates advanced techniques to evade detection and gain unauthorized access.

**Evasion Techniques**

NonEuclid leverages methods such as bypassing antivirus programs and escalating privileges to maintain stealth. It’s also capable of anti-detection maneuvers and encrypting vital files, thereby functioning as ransomware.

Mechanism of Action

The trojan begins by initializing a client application and performing evasion checks before establishing a TCP socket for communication. It strategically configures exclusions in Microsoft Defender Antivirus to prevent alarms and monitors processes like "taskmgr.exe" and "processhacker.exe," essential for system analysis.

Process Management

Utilizing Windows API calls such as CreateToolhelp32Snapshot, Process32First, and Process32Next, NonEuclid scrutinizes running processes. It can terminate these if detected, based on its settings.

Anti-Analysis Measures

NonEuclid includes checks for virtual or sandbox environments, quickly ending operations if detected, and it employs techniques to circumvent the Windows Antimalware Scan Interface (AMSI).

Persistence and Privilege Escalation

Persistence is ensured through scheduled tasks and registry modifications, while UAC bypass mechanisms allow it to execute commands with elevated privileges.

Ransomware Functionality

Unique to NonEuclid is its ability to encrypt files with extensions like .CSV, .TXT, and .PHP by renaming them with a ".NonEuclid" tag, effectively converting the RAT into a ransomware tool. According to Cyfirma's analysis, NonEuclid has been in circulation on underground forums since late November 2024, evidenced by discussions and tutorials on platforms like Discord and YouTube. This promotion underlines the malware’s widespread use and its appeal among cybercriminals. The complexity of NonEuclid underscores the evolving sophistication of modern malware, presenting significant challenges for cybersecurity professionals in mitigating such attacks. Its promotion on popular channels amplifies these challenges.

The link has been copied!