Multi-platform Tycoon Ransomware employed in targeted attacks

Pierluigi Paganini June 05, 2020

Experts recently discovered a multi-platform ransomware, dubbed Tycoon Ransomware, that uses a Java image file (JIMAGE) to evade detection.

Experts from BlackBerry Threat Intelligence and KPMG recently discovered a new strain of multi-platform ransomware dubbed Tycoon ransomware.

The Tycoon ransomware was used in highly targeted attacks, its operators recently targeted small to medium-sized companies and institutions in the education and software industries.

Operators infiltrate target networks using vulnerable and Internet-exposed RDP servers, then manually deploy the ransomware as a “ZIP archive containing a Trojanized Java Runtime Environment (JRE) build”

The ransomware is compiled into a Java image file (JIMAGE), which is a file format that stores custom JRE images which is designed to be used by the Java Virtual Machine (JVM) at runtime. It encompasses resources and class files of all Java modules that support the specific JRE build.

JIMAGE was introduced in Java version 9, it is quite uncommon to see developers using it.

Tycoon ransomware

Experts discovered that attackers used some unusual techniques to achieve persistence and execute a backdoor. Threat actors used a technique called Image File Execution Options (IFEO) injection to achieve persistence.

“To achieve persistence on the victim’s machine, the attackers had used a technique called Image File Execution Options (IFEO) injection. IFEO settings are stored in the Windows registry. These settings give developers an option to debug their software through the attachment of a debugging application during the execution of a target application.” reads the analysis published by BlackBerry.

“A backdoor was then executed alongside the Microsoft Windows On-Screen Keyboard (OSK) feature of the operating system.”

The investigation revealed that attackers disabled the organization’s anti-malware solution using the ProcessHacker utility and changed the passwords for Active Directory servers locking out the victim from its systems.

Attackers timestamped files with date timestamps of 11th April 2020, 15:16:22:

Upon establishing a foothold onto the target network, the attackers executed the Java ransomware module, which encrypted the files on connected servers.

“The list of paths to encrypt can be passed as parameter; alternatively, the malware will generate a list of all root paths in the system. A separate encryption thread will be created for each item in the path list.”continues the analysis.

“After the encryption process is completed, the malware will ensure that the files are not recoverable by overwriting deleted files in each encryption path. It uses an embedded Windows utility called cipher.exe for this task”

Experts noted that the ransomware configuration (project’s BuildConfig file) includes the followin information:

  • The attacker’s email address
  • The RSA public key
  • The content of the ransom note
  • The exclusions list
  • The list of shell commands to be executed

Each file is encrypted using a different AES key, the ransomware uses asymmetric RSA algorithm to encrypt the AES keys used to encrypt the files.

Security researchers speculate a possible link with the Dharma/CrySIS ransomware due to overlaps in email addresses, the text of the ransom note, and the naming convention used for encrypted files.

“Tycoon has been in the wild for at least six months, but there seems to be a limited number of victims. This suggests the malware may be highly targeted. It may also be a part of a wider campaign using several different ransomware solutions, depending on what is perceived more successful in specific environments.” concludes the analysis.

“The overlap in some of the email addresses, as well as the text of the ransom note and the naming convention used for encrypted files, suggests a connection between Tycoon and Dharma/CrySIS ransomware.”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Tycoon, cybersecurity)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment