Cybersecurity researchers have shed light on a new remote access Trojan called Non-Euclid which allows attackers to remotely control compromised Windows systems.
“Developed in C#, the NonEuclid Remote Access Trojan (RAT) is a highly sophisticated malware offering unauthorized remote access with advanced evasion techniques” – Cyfirma said in a technical analysis published last week.
“It uses a variety of mechanisms, including antivirus bypass, privilege escalation, anti-detection, and ransomware encryption to target sensitive files.”
NonEuclid has been advertised on underground forums since at least late November 2024. with tutorials and discussions of malware discovered on popular platforms such as Discord and YouTube. This suggests a concerted effort to distribute malware as a solution to criminal software.
Essentially, the RAT starts with an initialization phase for the client application, after which it performs a series of checks to avoid detection before setting up a TCP socket to communicate with the specified IP and port.
It also configures Microsoft Defender Antivirus exceptions to prevent artifacts from being flagged by security tools, and monitors processes such as “taskmgr.exe”, “processhacker.exe” and “procexp.exe” that are often used for process analysis and management.
“It uses Windows API calls (CreateToolhelp32Snapshot, Process32First, Process32Next) to enumerate processes and check that their executable names match the specified targets,” Cyfirma said. “If a match is found, depending on the AntiProcessMode setting, it either kills the process or triggers an exit for the client application.”
Some of the anti-analysis techniques adopted by the malware include checking to determine if it is running in a virtual environment or a sandbox and, if detected, terminating the program immediately. It also includes features to bypass the Windows anti-malware scanning interface (AMSI).
While persistence is achieved through scheduled tasks and changes to the Windows registry, NonEuclid also attempts to elevate privileges by bypassing User Account Control (UAC) protections and executing commands.
A relatively rare feature is its ability to encrypt files that match certain types of extensions (such as .CSV, .TXT, and .PHP) and rename them with a “.NonEuclid” extension, effectively turning them into ransomware.
“The NonEuclid RAT is an example of the increasing sophistication of today’s malware, combining advanced stealth mechanisms, anti-detection features and ransomware capabilities,” Cyfirma said.
“Its widespread promotion on underground forums, Discord servers and educational platforms demonstrates its attractiveness to cybercriminals and highlights the challenges in combating such threats. The integration of features such as privilege escalation, AMSI bypass, and process blocking demonstrates the ability of malware to adapt to circumventing security measures.”
