Cybersecurity researchers have discovered a new campaign to adopt a previously undocumented family of ransomware called Charon to target the public sector and aviation industry in the Middle East.
According to Trend Micro, the threat actors behind the activity demonstrated tactics that reflected the tactics of advanced persistent threat (APT) groups, including DLL sideloading, process injection, and the ability to avoid endpoint detection and response (EDR) software.
The DLL sideloading technology is similar to that previously documented, and was flagged by cybersecurity companies to provide back-ru doors known as Eagle Door following the exploitation of Eagle Door, which has now affected patch-style security geosebers, targeted by boring frogs and government agencies in the Asia-Pacific region.
“The attack chain utilized the legal browser-related file Edge.exe (originally named Cookie_exporter.exe) to remove the malicious msedge.dll (sordldr).
Like other ransomware binaries, Charon can delete destructive actions that terminate security-related services and running processes, as well as shadow copies and backups, thereby minimizing the chances of recovery. It also employs multi-threaded and partial encryption techniques to make file locking routines faster and more efficient.
Another notable aspect of ransomware is the use of drivers edited from the open source dark kill project, disabling the EDR solution by what is called Bring Your Own’s own vulnerable driver (BYOVD) attack. However, this feature is not triggered during execution, suggesting that it is likely that the feature is in development.
There is evidence to suggest that the campaign was targeted rather than opportunistic. This is due to the use of customized ransom notes that specifically invoke victim organizations with names, a tactic not observed in traditional ransomware attacks. Currently, I don’t know how initial access was obtained.
Despite the technical overlap with Earthbaxia, Trend Micro highlighted that this could mean one of three things –
A false flag manipulation designed to intentionally mimic Earth Baxia’s direct involvement Earth Baxia’s commerce, or a new threat actor independently developed similar tactics.
“Without supporting evidence of shared infrastructure or consistent targeting patterns, this attack shows limited but pronounced technical convergence with known earth baxia operations,” Trend Micro noted.
Regardless of attribution, the findings exemplify the ongoing trends of ransomware operators, increasingly employing sophisticated methods of malware deployment and defence, further blurring the line between cybercrime and nation-state activity.
“The convergence of proper tactics with ransomware operations creates an increased risk for organizations, combining sophisticated avoidance techniques with the immediate business impact of ransomware encryption,” the researchers concluded.
This disclosure comes when ESENTIRE details an interlock ransomware campaign that leverages Clickfix lures to drop PHP-based backdoors.
“Interlock Group employs complex multi-stage processes including powershell scripting, PHP/nodejs/c backdoors, highlighting the importance of monitoring suspicious process activities, lolbins and other TTPs,” the Canadian company said.
The findings show that ransomware is an evolving threat, despite victims continuing to pay ransoms to quickly restore access to their systems. Meanwhile, cybercriminals are beginning to rely on physical threats and DDOS attacks as ways to put pressure on victims.
According to statistics shared by Barracuda, 57% of organizations have experienced successful ransomware attacks in the last 12 months, of which 71% have also experienced an email breach. Additionally, 32% paid the ransom, while only 41% of victims reverted all their data.
Source link
