New "Tycoon" Ransomware Targets Windows and Linux Systems
Cybersecurity researchers have uncovered a new form ransomware campaign directed against education and software industries that leverages an obscure Java image file format to evade detection.
Dubbed "Tycoon," the multi-platform ransomware strain has been observed for at least six months, although it appears only a "limited" number of victims have been affected, suggesting it may be a form of highly targeted threat, according to a report published by BlackBerry and KPMG.
"The main thing that makes Tycoon stand out is that it was written in Java and deployed from an uncommon Java Image format (JIMAGE)," BlackBerry's Eric Milam and Claudiu Teodorescu said. "These are both unique methods. The advantage of writing malware in Java is the portability between operating systems, while using uncommon file format helps the malware fly under the radar."
The findings were published in the aftermath of a ransomware attack on an unnamed organization, which had its systems encrypted and locked by breaking into its network via a remote desktop server connected to the internet and deploying a backdoor.
Seven days post initial access, the attackers re-entered the network using the backdoor to laterally spread across the network, disable anti-malware software, and execute the malware payload that encrypts all file servers, including backup systems that are connected to the network, in return for a Bitcoin ransom.
Here's where the obfuscation comes into picture. Tycoon, which is capable of targeting both Windows and Linux systems, is deployed in the form of a ZIP file housing a Trojanized Java Runtime Environment and compiled into a Java image file.
JIMAGE is a special file format introduced with Java 9 to store custom runtime images to be used by the Java Virtual Machine at runtime. Unlike other variants such as Java Archive format (JAR), JIMAGE is rarely used as it's internal to the core implementation of Java. Antivirus solutions also tend to ignore them.
"This is the first sample we've encountered that specifically abuses the Java JIMAGE format to create a custom malicious JRE build," the researchers said.
If anything, the attacks are a reminder that education and software sectors continue to be a testbed for ransomware attacks.
"Universities have become playgrounds for attackers that are testing ransomware, as being at a university provides opportunities to build, test and tweak attacks," the researchers said. "This is because students often engage in risky online behaviors that expose them to ransomware, campuses have a highly open and interconnected nature, and costs pressures have made it difficult for institutions to fund IT security investments."
Dubbed "Tycoon," the multi-platform ransomware strain has been observed for at least six months, although it appears only a "limited" number of victims have been affected, suggesting it may be a form of highly targeted threat, according to a report published by BlackBerry and KPMG.
"The main thing that makes Tycoon stand out is that it was written in Java and deployed from an uncommon Java Image format (JIMAGE)," BlackBerry's Eric Milam and Claudiu Teodorescu said. "These are both unique methods. The advantage of writing malware in Java is the portability between operating systems, while using uncommon file format helps the malware fly under the radar."
The findings were published in the aftermath of a ransomware attack on an unnamed organization, which had its systems encrypted and locked by breaking into its network via a remote desktop server connected to the internet and deploying a backdoor.
Seven days post initial access, the attackers re-entered the network using the backdoor to laterally spread across the network, disable anti-malware software, and execute the malware payload that encrypts all file servers, including backup systems that are connected to the network, in return for a Bitcoin ransom.
Here's where the obfuscation comes into picture. Tycoon, which is capable of targeting both Windows and Linux systems, is deployed in the form of a ZIP file housing a Trojanized Java Runtime Environment and compiled into a Java image file.
JIMAGE is a special file format introduced with Java 9 to store custom runtime images to be used by the Java Virtual Machine at runtime. Unlike other variants such as Java Archive format (JAR), JIMAGE is rarely used as it's internal to the core implementation of Java. Antivirus solutions also tend to ignore them.
"This is the first sample we've encountered that specifically abuses the Java JIMAGE format to create a custom malicious JRE build," the researchers said.
If anything, the attacks are a reminder that education and software sectors continue to be a testbed for ransomware attacks.
"Universities have become playgrounds for attackers that are testing ransomware, as being at a university provides opportunities to build, test and tweak attacks," the researchers said. "This is because students often engage in risky online behaviors that expose them to ransomware, campuses have a highly open and interconnected nature, and costs pressures have made it difficult for institutions to fund IT security investments."
Comments
Post a Comment