Ratatouille Malware Bypass UAC Control & Exploits I2P Network to Launch Cyber Attacks

A newly discovered malware, dubbed “Ratatouille” (or I2PRAT), is raising alarms in the cybersecurity community due to its sophisticated methods of bypassing User Account Control (UAC) and leveraging the Invisible Internet Project (I2P) network for anonymous Command and Control (C2) communications.

First identified in late 2024, this multi-stage Remote Access Trojan (RAT) employs advanced techniques to evade detection, escalate privileges, and maintain persistence on infected systems.

The malware initiates its attack through phishing emails or malicious links disguised as CAPTCHA verification pages.

Once a victim executes the embedded PowerShell script, the malware’s loader is deployed.

This loader uses dynamic API resolution, parent process ID spoofing, and obfuscation techniques to bypass defenses and elevate privileges.

Notably, it attempts to exploit an RPC mechanism via the AppInfo service for privilege escalation.

However, recent Windows security patches have rendered this method less effective, forcing the malware to rely on alternative strategies like process migration and token manipulation.

I2P Network as a Stealth Communication Channel

According to the Sekoia, what sets Ratatouille apart is its use of the I2P network for C2 communications.

Unlike traditional malware that relies on traceable IP addresses or domains, I2PRAT anonymizes its traffic through encrypted peer-to-peer connections.

This allows attackers to issue commands, exfiltrate data, and deploy additional payloads without revealing their identities or locations.

The malware employs AES-128 encryption with unique keys for each session, further complicating detection.

The RAT’s modular architecture includes several DLL components such as cnccli.dll for C2 communication and dwlmgr.dll for file management that communicate via an event-driven system.

These modules enable functionalities like remote desktop hijacking, file transfers, and user account manipulation.

The malware also disables security features like Microsoft Defender by executing PowerShell scripts that block updates and add exclusions to critical directories.

Mitigation Challenges

Detecting Ratatouille poses significant challenges due to its stealthy techniques.

It obfuscates strings using XOR operations and dynamically resolves API calls at runtime, making static analysis difficult.

Additionally, its use of I2P obscures network traffic patterns that traditional monitoring tools rely on.

However, cybersecurity researchers have identified some detection opportunities. For instance:

• Monitoring event logs for privilege escalation attempts involving SeDebugPrivilege.
• Detecting anomalous process creation patterns linked to UAC bypasses or parent ID spoofing.
• Correlating specific TCP sequences associated with its encrypted C2 handshake.

Organizations are advised to adopt advanced endpoint detection solutions capable of analyzing behavioral patterns and correlating events across multiple vectors.

Regular patching of operating systems is also critical to mitigate exploits targeting known vulnerabilities.

Ratatouille exemplifies the evolving sophistication of cyber threats.

By combining advanced privilege escalation methods with anonymized communication channels like I2P, it demonstrates how attackers are increasingly leveraging decentralized networks to evade detection.

As this malware continues to evolve, robust threat intelligence and proactive defense mechanisms will be essential in combating its impact.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free