Windows systems have been covertly hijacked by a newly-emergent NonEuclid remote access trojan, which features antivirus evasion, anti-detection, privilege escalation, and ransomware encryption capabilities, reports The Hacker News.
Researchers from Cyfirma said after performing client app initialization, NonEuclidRAT — which has been proliferating in the dark web since late November — conducts detection bypass checks and establishes a TCP socket while adding Microsoft Defender Antivirus exclusions and leveraging Windows API calls for process enumeration.
Aside from sidestepping the Windows Antimalware Scan Interface and User Account Control defenses, NonEuclid RAT also transforms into ransomware, with its ability to encrypt .TXT, .CSV, and .PHP files, said the Cyfirma report.
"NonEuclid RAT's widespread promotion across underground forums, Discord servers, and tutorial platforms demonstrates its appeal to cyber-criminals and highlights the challenges in combating such threats," said Cyfirma. "The integration of features like privilege escalation, AMSI bypass, and process blocking showcases the malware's adaptability in evading security measures."
