The newly discovered malware, dubbed “Ratatouille” or I2PRAT, is making waves in the cybersecurity community due to its advanced evasion techniques and use of the Invisible Internet Project (I2P) network for anonymous communication. First identified in late 2024, this multi-stage Remote Access Trojan (RAT) bypasses User Account Control (UAC), escalates privileges, and maintains persistence on infected systems. The attack begins with phishing emails or malicious links disguised as CAPTCHA verification pages, which, when executed, deploy a PowerShell script that loads the malware.
Once activated, Ratatouille’s loader uses dynamic API resolution, parent process ID spoofing, and various obfuscation techniques to evade detection and elevate privileges. The malware initially attempts to exploit an RPC mechanism via the AppInfo service to escalate privileges but has been rendered less effective due to recent Windows security patches.
In response, the malware adapts by relying on alternative techniques, such as process migration and token manipulation, making detection and mitigation more difficult.
What sets Ratatouille apart is its use of the I2P network for command-and-control (C2) communications. Unlike traditional malware, which relies on traceable IP addresses or domains, Ratatouille anonymizes its network traffic using I2P’s encrypted peer-to-peer connections. This allows attackers to issue commands, exfiltrate data, and deploy additional payloads without revealing their identities or locations. The malware uses AES-128 encryption with unique keys for each session, making it more challenging to detect through conventional methods.
The stealthy nature of Ratatouille poses significant challenges for cybersecurity professionals. Its obfuscation techniques, such as XOR string encryption and dynamic API resolution, make static analysis difficult. Additionally, the use of I2P hides network traffic patterns from traditional monitoring tools. Despite these challenges, researchers have identified key detection opportunities, such as monitoring privilege escalation attempts and unusual process creation patterns. Organizations are advised to implement advanced endpoint detection solutions, patch systems regularly, and adopt proactive threat intelligence strategies to combat the evolving threat posed by Ratatouille.
