Cybersecurity researchers have discovered a new campaign that employs a previously undocumented ransomware family called Charon to target the Middle East’s public sector and aviation industry.
The threat actor behind the activity, according to Trend Micro, exhibited tactics mirroring those of advanced persistent threat (APT) groups, such as DLL side-loading, process injection, and the ability to evade endpoint detection and response (EDR) software.
The DLL side-loading techniques resemble those previously documented as part of attacks orchestrated by a China-linked hacking group called Earth Baxia, which was flagged by the cybersecurity company as targeting government entities in Taiwan and the Asia-Pacific region to deliver a backdoor known as EAGLEDOOR following the exploitation of a now-patched security flaw affecting OSGeo GeoServer GeoTools.
“The attack chain leveraged a legitimate browser-related file, Edge.exe (originally named cookie_exporter.exe), to sideload a malicious msedge.dll (SWORDLDR), which subsequently deployed the Charon ransomware payload,” researchers Jacob Santos, Ted Lee, Ahmed Kamal, and Don Ovid Ladore said.
Like other ransomware binaries, Charon is capable of disruptive actions that terminate security-related services and running processes, as well as delete shadow copies and backups, thereby minimizing the chances of recovery. It also employs multithreading and partial encryption techniques to make the file-locking routine faster and more efficient.
Another notable aspect of the ransomware is the use of a driver compiled from the open-source Dark-Kill project to disable EDR solutions by means of what’s called a bring your own vulnerable driver (BYOVD) attack. However, this functionality is never triggered during the execution, suggesting that the feature is likely under development.
There is evidence to suggest that the campaign was targeted rather than opportunistic. This stems from the use of a customized ransom note that specifically calls out the victim organization by name, a tactic not observed in traditional ransomware attacks. It’s currently not known how the initial access was obtained.
Despite the technical overlaps with Earth Baxia, Trend Micro has emphasized that this could mean one of three things –
- Direct involvement of Earth Baxia
- A false flag operation designed to deliberately imitate Earth Baxia’s tradecraft, or
- A new threat actor that has independently developed similar tactics
“Without corroborating evidence such as shared infrastructure or consistent targeting patterns, we assess this attack demonstrates limited but notable technical convergence with known Earth Baxia operations,” Trend Micro pointed out.
Regardless of the attribution, the findings exemplify the ongoing trend of ransomware operators increasingly adopting sophisticated methods for malware deployment and defense evasion, further blurring the lines between cybercrime and nation-state activity.
“This convergence of APT tactics with ransomware operations poses an elevated risk to organizations, combining sophisticated evasion techniques with the immediate business impact of ransomware encryption,” the researchers concluded.
The disclosure comes as eSentire detailed an Interlock ransomware campaign that leveraged ClickFix lures to drop a PHP-based backdoor that, in turn, deploys NodeSnake (aka Interlock RAT) for credential theft and a C-based implant that supports attacker-supplied commands for further reconnaissance and ransomware deployment.
“Interlock Group employs a complex multi-stage process involving PowerShell scripts, PHP/NodeJS/C backdoors, highlighting the importance of monitoring suspicious process activity, LOLBins, and other TTPs,” the Canadian company said.
The findings show that ransomware continues to be an evolving threat, even as victims continue to pay ransoms to quickly recover access to systems. Cybercriminals, on the other hand, have begun resorting to physical threats and DDoS attacks as a way of putting pressure on victims.
Statistics shared by Barracuda show that 57% of organizations experienced a successful ransomware attack in the last 12 months, of which 71% that had experienced an email breach were also hit with ransomware. What’s more, 32% paid a ransom, but only 41% of the victims got all their data back.