Tycoon Ransomware Banks on Unusual Image File Tactic

tycoon ransomware

To fly under the radar, the newly discovered ransomware is compiled into a Java image file format that’s rarely used by developers.

A new ransomware strain called Tycoon is seeking to wheel and deal its way into the Windows and Linux worlds, using a little-known Java image format as part of its kill chain.

The ransomware is housed in a trojanized version of the Java Runtime Environment (JRE), according to researchers at BlackBerry Cylance, and has been around since December. Its victims so far have largely consisted of small- and medium-sized organizations in the education and software industries, researchers said, which it targets with customized lures.

“Tycoon has been in the wild for at least six months, but there seems to be a limited number of victims,” the researchers noted, in a posting on Thursday. “This suggests the malware may be highly targeted. It may also be a part of a wider campaign using several different ransomware solutions, depending on what is perceived more successful in specific environments.”

Working with KPMG’s UK Cyber Response Services, the researchers analyzed a targeted attack using the previously unknown malware on an organization’s domain controller and file servers (the initial intrusion occurred via an internet-facing RDP jump-server). They said that the forensic analysis of a recent attack showed that the ransomware uses “unusual and noteworthy” techniques.

Most notably, Tycoon ransomware is delivered to a compromised machine as a .ZIP compressed archive, containing a trojanized Java Runtime Environment (JRE) build. The malware is compiled into a Java image file (JIMAGE). JIMAGE is a special file format used to store class and resource files of multiple Java modules (including images) to support custom JRE. It’s rarely used by developers – unlike its cousin, the popular Java Archive format (JAR), researchers said.

“Malware writers are constantly seeking new ways of flying under the radar,” researchers said. “They are slowly moving away from conventional obfuscation and shifting towards uncommon programming languages and obscure data formats. We have already seen a substantial increase in ransomware written in languages such as Java and Go. This is the first sample we’ve encountered that specifically abuses the Java JIMAGE format to create a custom malicious JRE build.”

The ransomware is triggered by executing a shell script that runs the main malicious Java module, of which there are both Windows and Linux versions. It has a configuration file that is stored in the project’s BuildConfig file, which holds the attacker’s email address; an RSA public key; the content of the ransom note; an exclusions list; and a set of shell commands to be executed.

The latter commands include instructions on encrypting the files present on the compromised machine.

“The list of paths to encrypt can be passed as parameter; alternatively, the malware will generate a list of all root paths in the system,” explained the researchers. “A separate encryption thread will be created for each item in the path list. After the encryption process is completed, the malware will ensure that the files are not recoverable by overwriting deleted files in each encryption path. It uses an embedded Windows utility called cipher.exe for this task.”

Each file is encrypted with a different AES key, then encrypted with the attacker’s RSA-1024 public key and saved in a chunk metadata block.

“Because of the use of asymmetric RSA algorithm to encrypt the securely generated AES keys, the file decryption requires obtaining the attacker’s private RSA key,” researchers explained. “Factoring a 1024-bit RSA key, although theoretically possible, has not been achieved yet and would require extraordinary computational power.”

That said, the earliest version of the malware (which applies the the .redrum extension to the encrypted files) can be decrypted using a hardcoded, static RSA key that one user published on a cybersecurity forum. However, researchers found that the key has proven to be successful in decryption of more recent versions (which append the “.grinch” and “.thanos” extensions to files).

The analysis flagged a few other novel approaches in Tycoon, including the use of Image File Execution Options (IFEO) injection to achieve persistence on the victim’s machine. It uses this to execute a backdoor alongside the Microsoft Windows On-Screen Keyboard (OSK) feature of the operating system.

Also, the attackers disabled the organization’s anti-malware solution with the use of the ProcessHacker utility and changed the passwords for Active Directory servers. This leaves the victim unable to access their systems.

“This ransomware attack is the second one in the past month using the Java Runtime Engine (JRE) to execute the attack,” James McQuiggan, security awareness advocate at KnowBe4, said via email. “While initial information shows a very targeted attack, it illustrates the notion that criminal groups are seeking new ways to avoid detection once inside an organization. Disabling the anti-malware on systems reduces the chance of being discovered by monitoring system administrators before launching the JRE to encrypt the file systems.”

While attribution of the malicious code is for now ambiguous, researchers did see some overlaps with a known malware.

“The overlap in some of the email addresses, as well as the text of the ransom note and the naming convention used for encrypted files, suggests a connection between Tycoon and Dharma/CrySIS ransomware,” they wrote.

CrySis surfaced in February 2016, when it was seen spreading via email attachments with double file extensions, or through links in spam messages. In a similar move to Tycoon’s technique, CrySis was also found lurking in trojanized versions of freely available software such as compression programs like WinRAR. Just a few months later though, the master decryption keys were released for the malware, effectively defanging it.


Suggested articles