A newly identified ransomware family, Charon, has been deployed in targeted attacks against Middle Eastern public sector and aviation organizations. The campaign uses APT-style techniques similar to Earth Baxia operations, including DLL sideloading, process injection, and anti-EDR features. The ransomware is highly customized for each victim, with ransom notes containing the organization’s name.
Severity Level: High
Threat Overview
The blend of APT-grade stealth with ransomware payloads presents elevated risk, combining deep infiltration capabilities with rapid encryption. This duality threatens not only operational continuity but also sensitive data confidentiality.
- Threat Actor: Unknown (possible link to Earth Baxia APT group – not confirmed)
- Motivation: Financial gain through ransom demands; operational disruption
Attack Details
- Execution:
- Legitimate binary (Edge.exe, formerly cookie_exporter.exe) abused for DLL sideloading.
- Malicious DLL (msedge.dll, nicknamed SWORDLDR) loaded alongside.
- Payload Decryption & Loading: Encrypted shellcode in DumpStack.log decrypted → intermediate payload → second decryption yields Charon ransomware PE.
- Process Injection: Payload injected into svchost.exe for stealth.
- Pre-encryption Actions:
- Stops security services/processes.
- Deletes shadow copies and empties Recycle Bin.
- Encryption Method:
- Hybrid cryptography using Curve25519 ECC + ChaCha20.
- Partial encryption strategy for speed, with .Charon extension and infection marker: “hCharon is enter to the urworld!”.
- Network Propagation: Enumerates and encrypts network shares (excluding ADMIN$).
- Anti-EDR Capabilities: Contains a dormant driver (WWC.sys) based on the Dark-Kill project, designed to disable EDR, hinting at future upgrades.
Recommendations
- Harden against DLL sideloading and process injection by:
- Limiting which executables can run and load DLLs, especially in directories commonly abused for sideloading (e.g., app folders, temp locations).
- Alerting on suspicious process chains, such as Edge.exe or other signed binaries spawning nonstandard DLLs or svchost.exe instances.
- Watching out for unsigned or suspicious DLLs placed next to legitimate binaries.
- Ensure that EDR and antivirus agents are running with capabilities that prevent malware from disabling, tampering with, or uninstalling the security solutions.
- Limit lateral movement by restricting access between workstations, servers, and sensitive shares. Disable or closely monitor the use of ADMIN$ and other admin shares. Require strong authentication for all remote access.
- Strengthen backup and recovery capabilities by:
- Maintaining offline or immutable backup copies, separate from production systems, so that backups can’t be wiped by ransomware.
- Regularly validating that backups can be restored and that shadow copy deletion or Recycle Bin emptying won’t block recovery.
- Only allowing backup, shadow copy, and restore rights to specific, monitored accounts.
- Reinforce user awareness and privilege management by:
- Educating end users and training employees to avoid suspicious attachments, links, and executables, which may initiate the sideloading chain.
- Limiting user and service accounts to only the permissions needed for their roles to reduce the impact if a system is compromised.
- Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/f7698c7f6fd62e595df373f536ae9e2b8b02db62f402c14230947739db3358d5/iocs
Source:
- https://www.trendmicro.com/en_us/research/25/h/new-ransomware-charon.html
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.