digital, binary code, abstract, background, matrix, display, technology, information, tech-savvy, computer, data, network, cyberspace, programming, coding, encryption, concept, cybersecurity, matrix background, digital matrix, binary digits, tech world, digital world, information age, ai generated, cybersecurity, cybersecurity, cybersecurity, cybersecurity, cybersecurity
| |

Charon Ransomware targets Middle East businesses with advanced evasion strategies

Byinfosectoday.com

Cybersecurity researchers have identified a new campaign utilising a previously undocumented ransomware family named Charon, which specifically targets the public sector and aviation industry in the Middle East. According to Trend Micro, the threat actor behind this campaign employs tactics reminiscent of advanced persistent threat (APT) groups, including DLL side-loading, process injection, and evasion of endpoint detection and response (EDR) software. The DLL side-loading techniques observed in this campaign bear similarities to those used by the China-linked hacking group Earth Baxia, which has previously targeted government entities in Taiwan and the Asia-Pacific region. The attack chain involved leveraging a legitimate browser-related file, Edge.exe, to sideload a malicious msedge.dll, which ultimately deployed the Charon ransomware payload.

Charon exhibits disruptive capabilities, such as terminating security-related services and deleting shadow copies and backups, thereby hindering recovery efforts. It employs multithreading and partial encryption techniques to enhance the efficiency of its file-locking routine. Notably, the ransomware also incorporates a driver from the open-source Dark-Kill project to disable EDR solutions through a bring your own vulnerable driver (BYOVD) attack, although this functionality has not yet been activated, indicating it may still be under development. Evidence suggests that the campaign was targeted, as indicated by a customised ransom note that specifically names the victim organisation, a tactic not typically seen in traditional ransomware attacks. While there are technical overlaps with Earth Baxia, Trend Micro posits three possibilities: direct involvement of Earth Baxia, a false flag operation, or a new threat actor independently developing similar tactics. Regardless of attribution, this incident highlights the increasing sophistication of ransomware operators, further blurring the lines between cybercrime and nation-state activity. 

Similar Posts