Charon Ransomware Emerges with APT-Style Tactics in Middle East Attacks

A newly identified ransomware family, Charon, has been deployed in targeted attacks against Middle Eastern public sector and aviation organizations. The campaign uses APT-style techniques similar to Earth Baxia operations, including DLL sideloading, process injection, and anti-EDR features. The ransomware is highly customized for each victim, with ransom notes containing the organization’s name.

Severity Level: High

Threat Overview

The blend of APT-grade stealth with ransomware payloads presents elevated risk, combining deep infiltration capabilities with rapid encryption. This duality threatens not only operational continuity but also sensitive data confidentiality.

• Threat Actor: Unknown (possible link to Earth Baxia APT group – not confirmed)
• Motivation: Financial gain through ransom demands; operational disruption

Attack Details

1. Execution:
   • Legitimate binary (Edge.exe, formerly cookie_exporter.exe) abused for DLL sideloading.
   • Malicious DLL (msedge.dll, nicknamed SWORDLDR) loaded alongside.
2. Payload Decryption & Loading: Encrypted shellcode in DumpStack.log decrypted → intermediate payload → second decryption yields Charon ransomware PE.
3. Process Injection: Payload injected into svchost.exe for stealth.
4. Pre-encryption Actions:
   • Stops security services/processes.
   • Deletes shadow copies and empties Recycle Bin.
5. Encryption Method:
   • Hybrid cryptography using Curve25519 ECC + ChaCha20.
   • Partial encryption strategy for speed, with .Charon extension and infection marker: “hCharon is enter to the urworld!”.
6. Network Propagation: Enumerates and encrypts network shares (excluding ADMIN$).
7. Anti-EDR Capabilities: Contains a dormant driver (WWC.sys) based on the Dark-Kill project, designed to disable EDR, hinting at future upgrades.

Recommendations

1. Harden against DLL sideloading and process injection by:
   • Limiting which executables can run and load DLLs, especially in directories commonly abused for sideloading (e.g., app folders, temp locations).
   • Alerting on suspicious process chains, such as Edge.exe or other signed binaries spawning nonstandard DLLs or svchost.exe instances.
   • Watching out for unsigned or suspicious DLLs placed next to legitimate binaries.
2. Ensure that EDR and antivirus agents are running with capabilities that prevent malware from disabling, tampering with, or uninstalling the security solutions.
3. Limit lateral movement by restricting access between workstations, servers, and sensitive shares. Disable or closely monitor the use of ADMIN$ and other admin shares. Require strong authentication for all remote access.
4. Strengthen backup and recovery capabilities by:
   • Maintaining offline or immutable backup copies, separate from production systems, so that backups can’t be wiped by ransomware.
   • Regularly validating that backups can be restored and that shadow copy deletion or Recycle Bin emptying won’t block recovery.
   • Only allowing backup, shadow copy, and restore rights to specific, monitored accounts.
5. Reinforce user awareness and privilege management by:
   • Educating end users and training employees to avoid suspicious attachments, links, and executables, which may initiate the sideloading chain.
   • Limiting user and service accounts to only the permissions needed for their roles to reduce the impact if a system is compromised.
6. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/f7698c7f6fd62e595df373f536ae9e2b8b02db62f402c14230947739db3358d5/iocs

Source:

• https://www.trendmicro.com/en_us/research/25/h/new-ransomware-charon.html

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.