Follow on X RSS Feed
Malware

Advanced Evasion Techniques Used by NonEuclid RAT

Cybersec Sentinel

3 min read
Advanced Evasion Techniques Used by NonEuclid RAT

Threat Group: Developer unknown, promoted by underground forums and individual actors
Threat Type: Remote Access Trojan (RAT)
Exploited Vulnerabilities: Privilege escalation, outdated security patches, and social engineering
Malware Used: NonEuclid RAT
Threat Score: High (9.0/10) – Advanced persistence, ransomware capabilities, and widespread appeal within cybercrime circles
Last Threat Observation: January 8, 2025

Overview

The NonEuclid RAT represents the next evolution of sophisticated malware engineered for maximum stealth, adaptability, and destructive potential. Written in C# and designed to exploit the .NET Framework 4.8, this malware combines advanced techniques for antivirus evasion, privilege escalation, ransomware integration, and persistence. NonEuclid RAT has gained traction among cybercriminals due to its highly modular design, easy-to-follow setup guides on platforms like Discord and YouTube, and frequent promotion in underground forums.

This RAT is particularly dangerous because of its robust anti-analysis features, enabling it to bypass traditional detection mechanisms, disable security tools, and disrupt forensic investigations. Its dual capabilities as a surveillance tool and ransomware agent make it a formidable threat to businesses, governments, and individuals.

Key Details

Delivery Method

  • Spear-phishing emails with weaponized attachments or links
  • Exploitation of unpatched software vulnerabilities
  • Drive-by downloads via compromised websites
  • Tutorials for manual deployment available on underground platforms

Target

Organizations with critical data or intellectual property, including:

  • Government agencies
  • Financial institutions
  • Technology firms
  • Healthcare providers

Functions

  1. Keylogging: Monitors and captures user input for credential theft.
  2. Data Exfiltration: Identifies and extracts sensitive files using predefined criteria.
  3. Process Termination: Actively disables security tools and forensic utilities.
  4. Dynamic DLL Loading: Avoids static analysis by dynamically loading code.
  5. Ransomware Encryption: Encrypts files using AES and appends a ".NonEuclid" extension.

Obfuscation Techniques

  • Anti-VM Checks: Terminates execution in virtualized or sandbox environments.
  • Registry Manipulation: Creates exclusions in Windows Defender to evade detection.
  • ASMI Bypass: Modifies AMSI (Antimalware Scan Interface) to disable script scanning.

Persistence

  • Scheduled tasks and registry modifications ensure the malware reloads after reboot.
  • Mutex control prevents duplicate instances from launching.

Attack Vectors

NonEuclid RAT employs a multi-pronged approach to infiltration and persistence:

  1. Social Engineering: Convincing phishing campaigns tailored to specific industries or roles.
  2. Privilege Escalation: Utilizes UAC (User Account Control) bypass methods to gain admin rights.
  3. Code Injection: Injects malicious code into legitimate processes to operate undetected.
  4. Encrypted Communication: Maintains secure, encrypted connections with command-and-control (C2) servers.

Technical Analysis

Initialization and Anti-Detection:
NonEuclid RAT initializes by delaying its startup to avoid suspicion, enabling critical process handling, and bypassing security measures. It dynamically modifies Windows Defender settings and blocks processes like Task Manager and Process Hacker.

Connection and Communication:
It establishes TCP socket communication with its C2 server, ensuring continuous connectivity through reconnection logic. This setup allows attackers to issue commands, exfiltrate data, and deploy ransomware payloads.

Advanced Anti-Analysis:
NonEuclid performs a variety of checks to evade forensic tools:

  • Anti-VM techniques detect sandboxed environments and terminate execution.
  • Obfuscation methods and dynamic API invocations complicate reverse engineering.

Ransomware Component:
The malware's ransomware feature encrypts multiple file types and renames them with the ".NonEuclid" extension, effectively locking the user out of their data.

Known Indicators of Compromise (IoCs)

File Hashes

SHA256:

  • d32585b207fd3e2ce87dc2ea33890a445d68a4001ea923daa750d32b5de52bf0
  • e1f19a2bc3ce5153e8dfe2f630cc43d6695fac73f5aaa59cd96dc214ca81c2b0

Mitigation and Recommendations

Strategic Recommendations:

  • Threat Intelligence Collaboration: Join platforms like ISACs (Information Sharing and Analysis Centers) to stay updated on emerging threats.
  • AI-Driven Security Tools: Implement AI-based behavioral analysis to detect anomalies in real-time.

Tactical Recommendations:

  • Endpoint Protection: Use Endpoint Detection and Response (EDR) tools to monitor processes, detect suspicious behavior, and isolate infected endpoints.
  • User Awareness: Regularly train staff on phishing tactics and malware prevention.

Operational Recommendations:

  • Patch Management: Regularly update operating systems and software to address known vulnerabilities.
  • Access Controls: Enforce least-privilege access policies and monitor admin-level activity.

Risk Assessment

The NonEuclid RAT presents a critical risk due to its adaptability, stealth, and dual functionality. Its ability to bypass defenses, persist across reboots, and encrypt critical files makes it a significant threat to organizational security.

Conclusion

The NonEuclid RAT is a stark reminder of the sophistication and persistence of modern malware. Organizations must adopt proactive security measures, enhance staff awareness, and employ cutting-edge detection tools to combat this and similar threats effectively.

Sources:

  1. CYFIRMA - NonEuclid RAT
  2. The Hacker News - Researchers Expose NonEuclid RAT Using UAC Bypass and AMSI Evasion Techniques