Cybersecurity researchers have discovered a new and dangerous malware called NonEuclid. This sophisticated malware can secretly control infected Windows computers.
Cyfirma, in its technical analysis, said that NonEuclid, developed using the C# programming language, is designed to be very difficult to detect. It uses various mechanisms to avoid being caught by antivirus software, gain high-level access to the system, and even encrypt important files, essentially turning into ransomware.
This malware is being actively promoted among cybercriminals since November 2024. It’s being shared on platforms like Discord and YouTube, with tutorials and discussions readily available. This suggests a concerted effort to spread NonEuclid as a tool for criminal activities.
The RAT begins with an initialization phase for the client application, followed by a series of anti-detection checks. Once these checks are complete, it establishes a TCP socket to communicate with a designated IP address and port.
The malware persists on the infected system by creating scheduled tasks and modifying system settings. The RAT also sets up exclusions in Microsoft Defender Antivirus to avoid detection of its artifacts by the security tools. Additionally, it monitors processes such as “taskmgr.exe,” “processhacker.exe,” and “procexp.exe,” which are commonly used for analysis and process management.
According to Cyfirma, “It leverages Windows API calls (CreateToolhelp32Snapshot, Process32First, Process32Next) to list processes and compare their executable names against specified targets. If a match is detected, the RAT either terminates the process or forces the client application to exit, depending on the AntiProcessMode setting.”
NonEuclid employs a range of stealth techniques. It checks for signs if it’s running in a virtual environment or being analyzed by security tools. It also specifically targets and disrupts security processes.
While the malware persists on the infected system by creating scheduled tasks and modifying system settings, it also attempts to gain higher privileges by bypassing User Account Control (UAC) protections to execute commands, allowing it to perform more actions on the compromised system.
A concerning feature of NonEuclid is its ability to encrypt files. It targets specific file types like .CSV, .TXT, and .PHP, renames them with the extension “. NonEuclid,” and holds them until a ransom is paid.
NonEuclid highlights the growing sophistication of cyber threats. Its ability to evade detection, combined with its destructive capabilities, makes it a significant concern for both individuals and organizations.It poses a serious threat due to its advanced features, active promotion, and potential for widespread damage.
