Full Report
Cybersecurity researchers have shed light on a new remote access trojan called NonEuclid that allows bad actors to remotely control compromised Windows systems. "The NonEuclid remote access trojan (RAT), developed in C#, is a highly sophisticated malware offering unauthorised remote access with advanced evasion techniques," Cyfirma said in a technical analysis published last week. "It employs
Analysis Summary
# Tool/Technique: NonEuclid RAT
## Overview
NonEuclid is a newly exposed Remote Access Trojan (RAT) developed in C#. It is being distributed as a crimeware solution, providing threat actors with unauthorized remote control over compromised Windows systems, accompanied by advanced evasion and persistence mechanisms.
## Technical Details
- Type: Malware family (Remote Access Trojan - RAT)
- Platform: Windows
- Capabilities: Unauthorized remote access, system control, antivirus/AMSI evasion, privilege escalation, ransomware encryption targeting critical files.
- First Seen: Advertised in underground forums since at least late November 2024.
## MITRE ATT&CK Mapping
*Note: Specific TIDs are inferred based on described behaviors (UAC Bypass, AMSI Evasion, Persistence via Scheduled Tasks/Registry, Process Killing).*
- TA0005 - Defense Evasion
- T1562 - Impair Defenses
- T1562.001 - Disable or Modify Tools
- *Inferred: Configuring Microsoft Defender Antivirus exclusions.*
- T1027 - Obfuscated Files or Information
- *Inferred: Use of complex C# development for evasive execution.*
- TA0004 - Privilege Escalation
- T1548 - Abuse Elevation Control Mechanism
- *Inferred: Attempts to elevate privileges (UAC Bypass mentioned in title).*
- TA0003 - Persistence
- T1547 - Boot or Logon Autostart Execution
- *Inferred: Persistence via scheduled tasks and Windows Registry changes.*
- TA0001 - Initial Access / TA0011 - Command and Control
- T1071 - Application Layer Protocol
- *Inferred: Communication via TCP socket to a specified IP and port.*
## Functionality
### Core Capabilities
- Establishes a TCP socket connection to a specified Command and Control (C2) server (IP and port).
- Performs initial detection evasion checks (e.g., anti-sandbox/anti-VM checks).
- Monitors for analysis tools, specifically `taskmgr.exe`, `processhacker.exe`, and `procexp.exe`, terminating them or exiting execution if found.
- Configures exclusions within Microsoft Defender Antivirus to prevent detection of its artifacts.
### Advanced Features
- **AMSI Bypass:** Incorporates features specifically designed to bypass the Windows Antimalware Scan Interface (AMSI).
- **UAC Bypass:** Utilizes User Account Control (UAC) bypass techniques (implied by the article title) to gain higher privileges.
- **Privilege Escalation:** Actively attempts to elevate its privileges on the compromised system.
- **Ransomware Component:** Includes functionality to encrypt "critical files," suggesting a secondary ransomware capability integrated into the RAT.
## Indicators of Compromise
- File Hashes: [Not provided in the source text]
- File Names: [Not provided in the source text, but related to C# client application artifacts]
- Registry Keys: [Implied changes for persistence, but specific keys not listed]
- Network Indicators: TCP communication to specified IP and port (C2).
- Behavioral Indicators:
- Enumerating processes using Windows API calls (`CreateToolhelp32Snapshot`, `Process32First`, `Process32Next`).
- Creating scheduled tasks for persistence.
- Modifying Windows Registry settings.
## Associated Threat Actors
- Threat actors actively marketing and discussing the NonEuclid RAT on underground forums, Discord, and YouTube, suggesting distribution as a ready-to-use crimeware solution. (Specific named groups not provided).
## Detection Methods
- Signature-based detection: Potential signatures based on known C# structure or C2 communication patterns.
- Behavioral detection: Monitoring for process enumeration targeting analysis tools (`taskmgr.exe`, etc.). Detection of custom process termination logic.
- YARA rules: [Not provided in the source text]
## Mitigation Strategies
- Prevention: Employing robust endpoint detection and response (EDR) solutions capable of monitoring API calls related to process enumeration and AMSI interaction.
- Hardening recommendations: Maintaining updated security software to catch post-AMSI bypass activity and monitoring for unauthorized modifications to Windows Defender configurations (exclusions).
- User awareness regarding socially engineered distribution methods (Discord, YouTube tutorials).
## Related Tools/Techniques
- General RAT functionality.
- Specific techniques include UAC Bypass methods and AMSI evasion, often employed by modern malware families.