A newly identified Remote Access Trojan (RAT), dubbed “I2PRAT” or “Ratatouille,” has emerged as a significant cybersecurity threat.
This multi-stage malware employs the Invisible Internet Project (I2P), an encrypted peer-to-peer network, to anonymize its Command and Control (C2) communications, making it highly evasive and challenging to detect.
The malware was first observed in November 2024 and has since been linked to targeted campaigns leveraging advanced evasion techniques.
The I2PRAT malware begins its infection chain with phishing emails that direct victims to fake CAPTCHA pages.
These pages execute malicious JavaScript, tricking users into running a PowerShell script that downloads the malware loader.
The loader utilizes a variety of techniques to bypass Windows User Account Control (UAC) and escalate privileges, enabling administrative access on compromised systems.
Technical Exploitation: Privilege Escalation and UAC Bypass
One of I2PRAT’s standout features is its ability to bypass UAC through a combination of Remote Procedure Call (RPC) exploitation and parent process ID spoofing.
Initially, the malware checks its privilege level using Windows APIs.
If it lacks administrative rights, it attempts to elevate privileges by exploiting the AppInfo RPC service.
However, recent Windows security patches have mitigated this specific bypass method, forcing the malware to rely on alternative strategies such as process migration and token manipulation.
In scenarios where administrative privileges are already granted, I2PRAT employs parent ID spoofing to replicate itself as a child process of a system-level application like “winlogon.exe.”
This process ensures it operates with SYSTEM-level permissions, granting it unrestricted access to the infected device.
According to the Sekoia researchers, I2PRAT incorporates multiple layers of obfuscation and defense evasion mechanisms.
It uses dynamic API resolution, string obfuscation via XOR encryption, and anti-debugging techniques to evade detection during execution.
Once installed, the RAT disables Microsoft Defender using PowerShell commands and modifies Windows Filtering Platform (WFP) rules to block telemetry data and security updates.
The malware’s modular architecture adds to its versatility.
It deploys several DLLs such as cnccli.dll for C2 communication and dwlmgr.dll for file management that interact through an event bus system.
This modularity allows attackers to execute specific tasks like file exfiltration, RDP hijacking, or user account manipulation[1][2].
Encrypted C2 Communication via I2P
I2PRAT’s use of the I2P network for C2 communication is particularly concerning.
Unlike traditional methods, I2P provides end-to-end encryption and anonymity by routing traffic through decentralized nodes.
This makes it nearly impossible for security tools to trace or intercept the data exchanged between the malware and its operators.
The RAT establishes secure channels using AES-128 encryption in Cipher Block Chaining (CBC) mode, further complicating detection efforts.
The emergence of I2PRAT highlights the growing sophistication of cyber threats leveraging anonymization networks like I2P.
Its ability to exploit UAC bypasses, disable defenses, and operate stealthily poses significant challenges for organizations relying on traditional detection methods.
To mitigate this threat, cybersecurity experts recommend deploying advanced endpoint detection systems capable of monitoring anomalous behaviors and encrypted traffic patterns.
Organizations should also reinforce email security protocols to prevent phishing attacks and educate users about recognizing social engineering tactics.
As researchers continue analyzing I2PRAT’s infrastructure and payloads, its use of encrypted peer-to-peer communication underscores an alarming evolution in malware capabilities that demands robust countermeasures from the cybersecurity community.
