Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Multi-Platform ‘Tycoon’ Ransomware Uses Rare Java Image Format for Evasion

A recently discovered multi-platform Java ransomware uses a Java image file (JIMAGE) to evade detection, BlackBerry security researchers report.

Dubbed Tycoon, the ransomware appears to be used only in highly targeted attacks, given the low number of victims and the delivery mechanism employed.

A recently discovered multi-platform Java ransomware uses a Java image file (JIMAGE) to evade detection, BlackBerry security researchers report.

Dubbed Tycoon, the ransomware appears to be used only in highly targeted attacks, given the low number of victims and the delivery mechanism employed.

The ransomware’s operators targeted small to medium-sized companies and institutions in the education and software industries, the researchers say. In one instance, they first compromised an Internet-facing remote desktop protocol jump-server and used it for further compromise.

The investigation into the incident revealed that the attackers used Image File Execution Options (IFEO) injection for persistence, that they executed a backdoor alongside the Microsoft Windows On-Screen Keyboard (OSK) feature of the operating system, that they proceeded to disable the anti-malware solution, and that most of their files were timestamped.

After establishing a foothold onto the environment, the attackers executed the Java ransomware module, which encrypted all file servers connected to the network, including backup systems.

The ransomware is deployed as a ZIP archive containing a trojanized Java Runtime Environment (JRE) build and is compiled into a Java image file (JIMAGE). This file format is used to store custom JRE images and is used by the Java Virtual Machine (JVM) at runtime.

First introduced in Java version 9, the file format is sparsely documented and is rarely used by developers, BlackBerry explains.

The security researchers also discovered that the malware was designed to target both Windows and Linux systems.

Advertisement. Scroll to continue reading.

The ransomware’s configuration includes the attacker’s email address, the RSA public key, the content of the ransom note, an exclusions list, and a list of shell commands to be executed. When executed, the malware runs a set of shell commands specified in the configuration file.

Tycoon deletes original files after encryption and also overwrites them to prevent recovery. The embedded Windows utility cipher.exe is exploited for this task. During encryption, the malware skips parts of larger files to speed up the process, which results in those files being damaged and unusable.

Each file is encrypted using a different AES key. The ransomware uses asymmetric RSA algorithm to encrypt the securely generated AES keys used in encryption, meaning that decryption requires the attacker’s private RSA key.

“However, one of the victims seeking help on the BleepingComputer forum posted a private RSA key presumably coming from a decryptor the victim purchased from the attackers. This key has proven to be successful in decryption of some of the files affected by the earliest version of Tycoon ransomware that added the .redrum extension to the encrypted files,” the researchers explain.

The same does not work for the more recent version of the ransomware, which appends the .grinch and .thanos extensions to the encrypted files.

“Tycoon has been in the wild for at least six months, but there seems to be a limited number of victims. This suggests the malware may be highly targeted. It may also be a part of a wider campaign using several different ransomware solutions, depending on what is perceived more successful in specific environments,” BlackBerry notes.

The security researchers also identified a possible connection with the Dharma/CrySIS ransomware, based on overlaps in email addresses, the text of the ransom note, and the naming convention used for encrypted files.

“This ransomware attack is the second one in the past month using the Java Runtime Engine (JRE) to execute the attack. While initial information shows a very targeted attack, it illustrates the notion that criminal groups are seeking new ways to avoid detection once inside an organization. Disabling the anti- malware on systems reduces the chance of being discovered by monitoring system administrators before launching the JRE to encrypt the file systems,” James McQuiggan, security awareness advocate at KnowBe4, said in an emailed comment.

Related: Ransomware Forces Shutdown of Texas Judiciary Network

Related: ATM Maker Diebold Nixdorf Hit by Ransomware

Related: Human-Operated Ransomware Is a Growing Threat to Businesses: Microsoft

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Raj Dodhiawala has been named Chief Product Officer at Eclypsium.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.