Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/4/2020
05:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

New 'Tycoon' Ransomware Strain Targets Windows, Linux

Researchers say Tycoon ransomware, which has targeted software and educational institutions, has a few traits they haven't seen before.

A newly discovered form of Java-based ransomware has been spotted in active and seemingly targeted attacks on education and software companies, researchers from BlackBerry and KPMG report. This strain, dubbed Tycoon, uses an obscure Java image format to bypass security tools.

The discovery began when KPMG's UK Cyber Response Services team was contacted to respond to a targeted attack against an educational institution. BlackBerry's Research and Intelligence team, which works with KPMG, analyzed the threat. The Tycoon ransomware, they say, has been observed in the wild since December 2019 and targets both Windows and Linux machines. Its victim count is "limited," researchers say, suggesting it may be a highly targeted threat.

In this case, an attacker connected to the target system using a Remote Desktop Protocol (RDP) server on the network, then located a target and obtained local administrator credentials. From there, they located a target and obtained local administrator credentials, installed process hacker-as-a-service, and disabled antivirus. They dropped a backdoor so they could gain re-entry and left.

Seven days later, the attacker connected to an RDP server and used it to move laterally across the network, making RDP connections to multiple systems. Analysis indicates RDP connections were manually initiated for each server, BlackBerry's team states in a blog post. The attacker then ran process hacker-as-a-service and disabled antivirus, then executed the ransomware. It follows this same process for each infected server on the network, and files are encrypted with extensions including .thanos, .grinch, and .redrum.

"They really understood the environment," says Eric Milam, vice president of Guard Services at Blackberry. "It's not a shock why they chose ransomware … [they] were able to cause the maximum amount of damage across platforms."

Once they established a foothold in the target organization, he says, it was "off to the races." After a week, attackers targeted only the main servers with a clear indication of crippling the infrastructure and ensuring a ransom payment.

Tycoon Adds New Twist to Ransomware
Tycoon is deployed as a Trojanized Java Runtime Environment (JRE) and compiled into a Java image file (JIMAGE), a special file format that stores custom JRE images and is designed to be used by the Java Virtual Machine (JVM) at runtime. JIMAGE holds resources and class files of all Java modules that support the specific JRE build. Unlike the more popular Java Archive format (JAR), JIMAGE is mostly internal to the Java Development Kit (JDK). Developers rarely use it.

"Because JIMAGE is more used internally by Java, it's a very nice way to hide," says Claudiu Teodorescu, director of BlackBerry's threat hunting and intelligence operations, noting that businesses may assume the activity is coming from an internal developer. "This is a nice way to be stealthy because nobody will look into JIMAGE and think something is off." 

The use of a JIMAGE file is "completely new" to ransomware, adds Milam. JIMAGE isn't normally parsed by antivirus and may appear to be a standard component or library in the SDK. "There's not a lot of reason to question [it]," he says. Researchers note the malicious JRE build contains both Windows and Linux versions of a shell script that triggers that ransomware when executed, suggesting Linux servers are also targets.

Because the attackers used an asymmetric RSA algorithm to encrypt the AES keys, file decryption requires obtaining the attacker's private RSA key. Researchers note some victims may not have needed to pay: In a BleepingComputer forum, a Tycoon victim posted a private RSA key that presumably came from a decryptor they bought from the attackers. This key could be used to decrypt files infected with the earliest version of Tycoon, which had a .redrum extension.

Researchers also noticed an overlap between Tycoon and the Dharma/CrySIS ransomware — in particular, the email addresses, ransom note text, and naming convention for encrypted files. Dharma/CrySIS appeared last year and didn't go away, Teodorescu says. When Tycoon appeared in December, researchers noticed the .redrum extension, which was also seen in the earlier Dharma/CrySIS campaigns. Like Tycoon, Dharma/CrySIS exploited weak credentials on RDP to break in. While there was no mention of Java in these attacks, the attackers were also living off the land.

Malware writers are constantly seeking new ways to evade detection, researchers state in their blog post. Now, they say, attackers are moving away from conventional obfuscation and toward uncommon programming languages and obscure data formats. They note a "substantial increase" in ransomware written in Java, Go, and other languages. 

For businesses that want to better protect against Tycoon, Teodorescu advises first making sure they know their infrastructure: "Have a clear methodology of auditing credentials, patching your operating system, patching web servers, [and] making sure you have cyber hygiene methodology in place for your organization," he says.

Related Content:

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25595
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. The PCI passthrough code improperly uses register data. Code paths in Xen's MSI handling have been identified that act on unsanitized values read back from device hardware registers. While devices strictly compliant with PCI specifications shouldn't be ...
CVE-2020-5783
PUBLISHED: 2020-09-23
In IgniteNet HeliOS GLinq v2.2.1 r2961, the login functionality does not contain any CSRF protection mechanisms.
CVE-2020-11031
PUBLISHED: 2020-09-23
In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure encryption library. The library c...
CVE-2020-5781
PUBLISHED: 2020-09-23
In IgniteNet HeliOS GLinq v2.2.1 r2961, the langSelection parameter is stored in the luci configuration file (/etc/config/luci) by the authenticator.htmlauth function. When modified with arbitrary javascript, this causes a denial-of-service condition for all other users.
CVE-2020-5782
PUBLISHED: 2020-09-23
In IgniteNet HeliOS GLinq v2.2.1 r2961, if a user logs in and sets the ‘wan_type’ parameter, the wan interface for the device will become unreachable, which results in a denial of service condition for devices dependent on this connection.