Thursday, January 23, 2025
HomeCyber Security NewsNew I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Published on

SIEM as a Service

Follow Us on Google News

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed “I2PRAT,” which leverages encrypted peer-to-peer (P2P) communication via the Invisible Internet Project (I2P) network to avoid detection.

The malware, first reported on November 19 by the researcher Gi7w0rm, demonstrates a highly sophisticated infection chain and innovative evasion techniques, raising concerns among the global cybersecurity community.

I2PRAT’s standout feature is its use of I2P, an encrypted P2P overlay network designed for anonymous communication.

Unlike traditional command-and-control (C2) communication methods, I2P obscures the source and destination of data, making it nearly impossible for security tools to intercept or trace the traffic.

The malware utilizes I2PD, an open-source I2P client, to establish these clandestine C2 channels, allowing it to exfiltrate data and receive commands without detection.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

Infection Chain Overview

The malware’s infection chain begins with a targeted phishing email. Victims are lured into clicking a malicious link directing them to a fake CAPTCHA verification page.

Infection overview
Infection overview

The page uses deceptive JavaScript to copy a malicious PowerShell script to the clipboard, tricking users into inadvertently executing it.

This script downloads the first-stage malware loader, which disables Windows Defender and deploys further malicious payloads.

Key steps in the infection chain include:

  • Disabling Windows Defender to bypass antivirus protections.
  • Deploying Windows Filtering Platform (WFP) filters to block Microsoft security updates.
  • Installing a Remote Access Trojan (RAT) as a system service.
  • Establishing encrypted C2 communication through I2P.

I2PRAT incorporates multiple layers of obfuscation and defense evasion tactics. For example, it deploys batch scripts to disable Microsoft Defender updates and exclude key directories from scans.

Additionally, it leverages WFP filters to block telemetry data from being sent to Microsoft’s security cloud, rendering the infected device vulnerable and blind to updates.

Fake captcha page
Fake captcha page

The malware also employs a clever trick by creating a hidden directory named to resemble the “My Computer” system shortcut, making its files hard to locate. Permissions within this directory are restricted using utilities like icacls.exe, further masking its presence.

Modular RAT and I2P Communication

At the core of I2PRAT is a modular Remote Access Trojan (RAT) that uses plugins to deliver various malicious functionalities. Communication between the malware and its C2 infrastructure is established through I2P, ensuring all data exchanges are encrypted and anonymized.

This approach allows threat actors to issue commands, exfiltrate sensitive information, and deploy additional payloads while evading traditional network monitoring.

I2PRAT showcases the growing trend of malware developers adopting encrypted P2P networks like I2P to outmaneuver cybersecurity defenses, as per a report by Gdata Software.

The use of anonymized communication channels complicates detection and mitigation, posing a significant challenge for organizations and researchers alike.

To counter such threats, organizations must adopt advanced threat detection systems capable of monitoring anomalous network behaviors and implement robust email security protocols to prevent phishing attacks.

End-user awareness training also plays a critical role in reducing the likelihood of successful exploits.

The cybersecurity community continues to analyze I2PRAT to develop effective countermeasures, but its use of encrypted P2P communication highlights an alarming evolution in cyber threats.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

Microsoft Unveils New Identity Secure Score Recommendations in General Availability

Microsoft has announced the general availability of 11 new Identity Secure Score recommendations in...