Cyber Security News

Ratatouille Malware Bypass UAC Control & Exploits I2P Network to Launch Cyber Attacks

A newly discovered malware, dubbed “Ratatouille” (or I2PRAT), is raising alarms in the cybersecurity community due to its sophisticated methods of bypassing User Account Control (UAC) and leveraging the Invisible Internet Project (I2P) network for anonymous Command and Control (C2) communications.

First identified in late 2024, this multi-stage Remote Access Trojan (RAT) employs advanced techniques to evade detection, escalate privileges, and maintain persistence on infected systems.

The malware initiates its attack through phishing emails or malicious links disguised as CAPTCHA verification pages.

Once a victim executes the embedded PowerShell script, the malware’s loader is deployed.

This loader uses dynamic API resolution, parent process ID spoofing, and obfuscation techniques to bypass defenses and elevate privileges.

Notably, it attempts to exploit an RPC mechanism via the AppInfo service for privilege escalation.

However, recent Windows security patches have rendered this method less effective, forcing the malware to rely on alternative strategies like process migration and token manipulation.

I2P Network as a Stealth Communication Channel

According to the Sekoia, what sets Ratatouille apart is its use of the I2P network for C2 communications.

Unlike traditional malware that relies on traceable IP addresses or domains, I2PRAT anonymizes its traffic through encrypted peer-to-peer connections.

I2PRATI2PRAT
ClickFix campaign delivering advanced loader that drops I2PRAT

This allows attackers to issue commands, exfiltrate data, and deploy additional payloads without revealing their identities or locations.

The malware employs AES-128 encryption with unique keys for each session, further complicating detection.

The RAT’s modular architecture includes several DLL components such as cnccli.dll for C2 communication and dwlmgr.dll for file management that communicate via an event-driven system.

These modules enable functionalities like remote desktop hijacking, file transfers, and user account manipulation.

The malware also disables security features like Microsoft Defender by executing PowerShell scripts that block updates and add exclusions to critical directories.

Mitigation Challenges

Detecting Ratatouille poses significant challenges due to its stealthy techniques.

It obfuscates strings using XOR operations and dynamically resolves API calls at runtime, making static analysis difficult.

Additionally, its use of I2P obscures network traffic patterns that traditional monitoring tools rely on.

However, cybersecurity researchers have identified some detection opportunities. For instance:

  • Monitoring event logs for privilege escalation attempts involving SeDebugPrivilege.
  • Detecting anomalous process creation patterns linked to UAC bypasses or parent ID spoofing.
  • Correlating specific TCP sequences associated with its encrypted C2 handshake.

Organizations are advised to adopt advanced endpoint detection solutions capable of analyzing behavioral patterns and correlating events across multiple vectors.

Regular patching of operating systems is also critical to mitigate exploits targeting known vulnerabilities.

Ratatouille exemplifies the evolving sophistication of cyber threats.

By combining advanced privilege escalation methods with anonymized communication channels like I2P, it demonstrates how attackers are increasingly leveraging decentralized networks to evade detection.

As this malware continues to evolve, robust threat intelligence and proactive defense mechanisms will be essential in combating its impact.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Zero-Interaction libvpx Flaw in Firefox Allows Attackers to Run Arbitrary Code

Mozilla has released Firefox 139, addressing several critical and moderate security vulnerabilities that posed significant…

1 hour ago

Threat Actors Use Fake DocuSign Notifications to Steal Corporate Data

DocuSign has emerged as a cornerstone for over 1.6 million customers worldwide, including 95% of…

17 hours ago

Government Calls on Organizations to Adopt SIEM and SOAR Solutions

In a landmark initiative, international cybersecurity agencies have released a comprehensive series of publications to…

18 hours ago

WordPress TI WooCommerce Wishlist Plugin Flaw Puts Over 100,000 Websites at Risk of Cyberattack

A severe security flaw has been identified in the TI WooCommerce Wishlist plugin, a widely…

18 hours ago

Microsoft Alerts on Void Blizzard Hackers Targeting Telecommunications and IT Sectors

Microsoft Threat Intelligence Center (MSTIC) has issued a critical warning about a cluster of global…

18 hours ago

Hackers Use Fake OneNote Login to Capture Office365 and Outlook Credentials

A recent investigation by security analysts has uncovered a persistent phishing campaign targeting Italian and…

18 hours ago