The NonEuclid Remote Access Trojan (RAT), detailed in a report by CYFIRMA, represents a significant evolution in malware sophistication. Developed in C# for the .NET Framework 4.8, NonEuclid is built to evade detection and offers a suite of advanced capabilities, including ransomware encryption, privilege escalation, and anti-detection mechanisms.
NonEuclid has been actively promoted across underground forums, Discord servers, and social media platforms. CYFIRMA reports that “the RAT has gained traction due to features like stealth, dynamic DLL loading, anti-VM checks, and AES encryption capabilities“. This growing popularity is fueled by tutorials and discussions on platforms like YouTube and Discord, where users are shown how to deploy the malware effectively.
NonEuclid’s architecture demonstrates the complexity of modern malware. Some of its key capabilities include:
- Antivirus Evasion: By dynamically modifying Windows Defender’s registry settings, NonEuclid prevents scans of its malicious files.
- Anti-Process Termination: It continuously monitors for and terminates processes like Task Manager or Process Explorer, tools often used to detect malicious activity.
- Virtual Machine Detection: Using memory queries, it terminates itself if executed in a virtual environment, avoiding analysis in sandboxed setups.
- Scheduled Tasks for Persistence: The malware uses Windows Task Scheduler to ensure its files run automatically, even after system reboots.
NonEuclid also functions as ransomware, encrypting various file types with AES encryption and appending the “.NonEuclid” extension. CYFIRMA notes, “The developer behind the ransomware is utilizing AES encryption to lock various file types, including those with extensions such as ‘.csv’, ‘.txt’, and ‘.php’.”
The malware’s developer, active under the alias “NAZZED,” has been promoting NonEuclid since October 2021. CYFIRMA observed that “numerous users across various Russian forums and Discord channels were actively advertising, selling, and discussing the NonEuclid RAT“. This broad promotion underscores its appeal within cybercriminal communities and its role as a tool for sophisticated attacks.
As CYFIRMA concludes, “The NonEuclid RAT exemplifies the increasing sophistication of modern malware, combining advanced stealth mechanisms, anti-detection features, and ransomware capabilities.”
Related Posts:
- Professional Goods & Services at Risk: Decoding CYFIRMA’s Cybersecurity Report
- Russian State Actors Target UK Critical Infrastructure in New Cyber Campaign
- Cybercriminals Exploit Legitimate Windows Tool for Cryptojacking
- SpyNote Malware: Fake Antivirus Targets Android Users in Sophisticated New Campaign
- Wish Stealer: New Malware Targets Discord, Browsers, and Cryptocurrency Wallets
