Published On : 2025-01-02

EXECUTIVE SUMMARY

At CYFIRMA, we provide cutting-edge intelligence on emerging cyber threats targeting organisations and individuals. The NonEuclid Remote Access Trojan (RAT) is a type of malicious software that enables unauthorised remote access and control of a victim’s computer, often without their awareness. This RAT, developed using C# and built for the .NET Framework 4.8, is designed to operate with minimal security checks, making it more difficult for security systems to detect and block its activities.

INTRODUCTION

The NonEuclid Remote Access Trojan (RAT), developed in C#, is a highly sophisticated malware offering unauthorised remote access with advanced evasion techniques. It employs various mechanisms, including antivirus bypass, privilege escalation, anti-detection, and ransomware encryption targeting critical files. Promoted in underground forums and social media platforms, it has gained traction due to features like stealth, dynamic DLL loading, anti-VM checks, and AES encryption capabilities. Observations highlight its growing popularity within cybercriminal communities, with tutorials and discussions on platforms like Discord and YouTube, indicating a coordinated effort to distribute and enhance its use in malicious operations.

ANALYSIS

Main Function:

The below code initializes a client application with various security, anti-detection, and installation mechanisms. It first configures settings, delays startup, and ensures administrative privileges for certain features. If the application passes mutex and anti-detection checks, it sets up a client socket for communication and continuously reconnects if the connection is lost. Logging and anti-process blocking are also implemented based on configuration settings.

• Initialization and Delay: The program starts by introducing a delay based on a configured value (Settings.Delay) and initializes application settings. If settings fail to load, the application exits.
• Privilege and Security Checks: It enables critical process handling (BSOD), performs anti-defender scans, and validates administrative privileges for advanced features.
• Installation and Mutex Handling: If enabled, the application installs itself and ensures no duplicate instances are running using mutex control.
• Anti-Detection and Logging: Anti-process blocking and sleep prevention mechanisms are activated, and a logger starts asynchronously for monitoring.
• Socket Communication: A client socket is initialized for server communication, with reconnection logic in place to maintain connectivity continuously.

Initial Connection:

This method initializes a TCP socket, sets buffer sizes, and attempts to connect to a specified IP and port. If successful, it wraps the socket in a NetworkStream, configures timers for keep-alive and pong packets, and starts asynchronous reading for server data. Connection-related properties like headers, offsets, and intervals are initialized. If the connection fails, it sets the connection status to false.

AntiScan

The below AntiScan method attempts to bypass Windows Defender’s scans by adding exclusions to the Defender registry settings. It modifies the registry paths dynamically (by removing obfuscation placeholders like “button” and “UIUSS”). It includes paths such as the malware’s server file location, a watchdog folder, and the current process’s executable file. This is done to prevent these files or folders from being scanned or flagged by Windows Defender.

Anti Process:

The below Block method continuously monitors running processes to detect and terminate specific target processes like “Taskmgr.exe”, “ProcessHacker.exe”, and “procexp.exe”, which are commonly used for analyzing or managing processes. It uses Windows API calls (CreateToolhelp32Snapshot, Process32First, Process32Next) to enumerate processes and check if their executable names match the specified targets. If a match is found, depending on the AntiProcessMode setting, it either kills the process or triggers an exit for the client application.

This code defines a method Set that registers an event handler for session ending and marks the current process as critical using the RtlSetProcessIsCritical function, preventing the process from being terminated under certain conditions. The Exit method resets this critical state, allowing normal termination of the process. If an exception occurs during this operation, it enters an infinite loop, effectively stalling the program.

Anti VM:

The RunAntiAnalysis method checks if the program is running in a virtual machine (VM) using the isVM_by_wim_temper method. This method queries system information (Win32_CacheMemory) to detect the presence of memory objects indicative of a physical machine. If no objects are found (indicating a VM or sandbox environment), the program terminates with exit code 240, acting as an anti-analysis mechanism.

ASMI (Antimalware Scan Interface) Bypass:

The code below searches for the “amsi.dll” module within the current process’s loaded modules. If found, it triggers the PatchMem function to modify specific memory regions related to “AmsiScanBuffer” – for bypassing Windows Defender’s AMSI (Antimalware Scan Interface) scanning. This would allow the execution of potentially malicious code without being flagged by AMSI, a security feature designed to detect and block harmful scripts.

Camera access

The following code enumerates multimedia devices (e.g., cameras) using DirectShow. It initializes a device enumerator and retrieves devices in the specified category using IEnumMoniker. Each device is queried for its properties via IPropertyBag, and a custom function is executed for each device. Finally, all resources are properly released to ensure no memory leaks occur.

Dynamically loading DLL:

This code defines a method to dynamically invoke Windows API functions using their DLL names and function names. The DynamicAPIInvoke method retrieves the function’s address and calls it with specified parameters using DynamicFunctionInvoke, which converts the address into a delegate for invocation. The NtProtectVirtualMemory function is specifically designed to change the memory protection of a specified region in a process, utilizing the dynamic invocation approach to maintain flexibility and stealth, which is commonly employed in scenarios involving low-level system manipulation.

Persistence – Schedule Task

The Schtasks method creates a scheduled task using the Windows command line. It constructs a command to schedule a task that runs at specified minute intervals, hiding the command window and suppressing output. The method checks if the application has administrative privileges and sets the appropriate verb for executing the command. The task’s name and execution path are passed as arguments to the schtasks command.

Privilege escalation- UAC Bypass

The Bypass method attempts to manipulate the Windows registry and execute a command to bypass certain restrictions. It first checks if the application is running with administrative privileges. If not, it creates a registry key under CurrentUser to potentially modify system settings related to execution paths. It then sets the current process’s executable path in the registry and attempts to execute a secondary executable related to the “start” command. After a brief wait, it cleans up by deleting the previously created registry keys and exits the application.

Persistence – Registry Value changes

The HKCU method updates a specific registry key under HKEY_CURRENT_USER to store a given Name. It checks if the existing value is null or different from the provided Name, and if so, it sets the value accordingly, handling exceptions by returning false in case of any errors during the process.

Ransomware

The developer behind the ransomware is utilizing AES encryption to lock various file types, including those with extensions such as “.csv”, “.txt”, and “.php”. After encryption, each affected file is renamed with the extension “.NonEuclid”.

Dynamic Analysis

Dropped Files:
When executed, the malware drops two executable files in different folders. These files are configured to run automatically via the Task Scheduler, ensuring they remain persistent by executing without manual intervention. This technique is used to maintain persistence, allowing the malware to continue running even if the system is rebooted or attempts are made to stop it.

1. File name & path – Discord Update -CUsers<username>AppDataRoamingobs-studioupdates.exe
2. File name & path – update-5-2-12-24-16662380877-282556156-167069681-1011 – CUsers<username>AppDataRoamingMicrosoftWindowsTemplates IntelGamesCommonCommonuadate.exe

Capabilities outlined in the following mind map:

EXTERNAL THREAT LANDSCAPE MANAGEMENT

We discovered a NONEUCLID RAT being advertised on an underground forum by a user who joined the forum on October 14th.

On November 30th, the same user published details about the RAT they had developed, promoting its advanced capabilities. The advertisement emphasizes features such as antivirus bypass, compatibility with cryptors for obfuscation, and other sophisticated functionalities.

We observed a user “NAZZED” who created a YouTube account on Oct 15th and has 110 subscribers. He has also uploaded multiple videos on How to build a RAT like Xworm, Silver RAT, Sheerat, Wiz worm RAT, and DC RAT including how to set up a new Ratnik NONEUCLID RAT.

Ratnik” means “warrior” in Slavic languages, but in hacking, it’s used as a term for a RAT.

We have observed a Discord account of the RAT developer who joined Discord on June 21, 2021, and subsequently created a server on October 15th. Within this server, discussions have been taking place regarding various RATs, including the NONEUCLID RAT.

In 2021, numerous users across various Russian forums and Discord channels were actively advertising, selling, and discussing the NonEuclid RAT.

CONCLUSION

The NonEuclid RAT exemplifies the increasing sophistication of modern malware, combining advanced stealth mechanisms, anti-detection features, and ransomware capabilities. Its widespread promotion across underground forums, Discord servers, and tutorial platforms demonstrates its appeal to cyber-criminals and highlights the challenges in combating such threats. The integration of features like privilege escalation, ASMI bypass, and process blocking showcases the malware’s adaptability in evading security measures. Addressing threats like NonEuclid requires proactive defense strategies, continuous monitoring, and awareness of evolving cybercriminal tactics to mitigate their impact effectively.

MITRE ATTACK FRAMEWORK

RECOMMENDATIONS

Strategic Recommendations:

Enhance Threat Intelligence Sharing:
Establish partnerships with external threat intelligence platforms and agencies to stay informed about emerging threats like the NonEuclid RAT. Sharing intelligence within the cybersecurity community helps in early detection and mitigation.

Invest in Advanced Security Technologies:
Allocate resources to integrate AI-driven security tools capable of detecting sophisticated evasion techniques, including behavioral analysis, anomaly detection, and memory-based scanning.

Tactical Recommendations:

Deploy Endpoint Detection and Response (EDR) Solutions:
Implement EDR solutions to monitor endpoints for suspicious activities like unauthorized registry changes, process injections, and dynamic DLL loading, ensuring rapid containment.

Strengthen User Awareness Training:
Conduct regular training programs to educate users about phishing attempts, RAT deployment tactics, and the importance of secure practices, such as not running suspicious executables or sharing credentials.

Operational Recommendations:

Implement Strict Privilege Management:
Enforce least-privilege access policies and ensure administrative actions are logged and monitored to prevent privilege escalation attempts by malware.

Perform Regular Patch Management and Audits:
Ensure all systems, software, and frameworks are up to date with the latest security patches. Conduct periodic audits to identify and mitigate vulnerabilities that malware could exploit.

INDICATORS OF COMPROMISES

Full Research: https://www.cyfirma.com/research/noneclid-rat/