Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/4/2020
05:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

New 'Tycoon' Ransomware Strain Targets Windows, Linux

Researchers say Tycoon ransomware, which has targeted software and educational institutions, has a few traits they haven't seen before.

A newly discovered form of Java-based ransomware has been spotted in active and seemingly targeted attacks on education and software companies, researchers from BlackBerry and KPMG report. This strain, dubbed Tycoon, uses an obscure Java image format to bypass security tools.

The discovery began when KPMG's UK Cyber Response Services team was contacted to respond to a targeted attack against an educational institution. BlackBerry's Research and Intelligence team, which works with KPMG, analyzed the threat. The Tycoon ransomware, they say, has been observed in the wild since December 2019 and targets both Windows and Linux machines. Its victim count is "limited," researchers say, suggesting it may be a highly targeted threat.

In this case, an attacker connected to the target system using a Remote Desktop Protocol (RDP) server on the network, then located a target and obtained local administrator credentials. From there, they located a target and obtained local administrator credentials, installed process hacker-as-a-service, and disabled antivirus. They dropped a backdoor so they could gain re-entry and left.

Seven days later, the attacker connected to an RDP server and used it to move laterally across the network, making RDP connections to multiple systems. Analysis indicates RDP connections were manually initiated for each server, BlackBerry's team states in a blog post. The attacker then ran process hacker-as-a-service and disabled antivirus, then executed the ransomware. It follows this same process for each infected server on the network, and files are encrypted with extensions including .thanos, .grinch, and .redrum.

"They really understood the environment," says Eric Milam, vice president of Guard Services at Blackberry. "It's not a shock why they chose ransomware … [they] were able to cause the maximum amount of damage across platforms."

Once they established a foothold in the target organization, he says, it was "off to the races." After a week, attackers targeted only the main servers with a clear indication of crippling the infrastructure and ensuring a ransom payment.

Tycoon Adds New Twist to Ransomware
Tycoon is deployed as a Trojanized Java Runtime Environment (JRE) and compiled into a Java image file (JIMAGE), a special file format that stores custom JRE images and is designed to be used by the Java Virtual Machine (JVM) at runtime. JIMAGE holds resources and class files of all Java modules that support the specific JRE build. Unlike the more popular Java Archive format (JAR), JIMAGE is mostly internal to the Java Development Kit (JDK). Developers rarely use it.

"Because JIMAGE is more used internally by Java, it's a very nice way to hide," says Claudiu Teodorescu, director of BlackBerry's threat hunting and intelligence operations, noting that businesses may assume the activity is coming from an internal developer. "This is a nice way to be stealthy because nobody will look into JIMAGE and think something is off." 

The use of a JIMAGE file is "completely new" to ransomware, adds Milam. JIMAGE isn't normally parsed by antivirus and may appear to be a standard component or library in the SDK. "There's not a lot of reason to question [it]," he says. Researchers note the malicious JRE build contains both Windows and Linux versions of a shell script that triggers that ransomware when executed, suggesting Linux servers are also targets.

Because the attackers used an asymmetric RSA algorithm to encrypt the AES keys, file decryption requires obtaining the attacker's private RSA key. Researchers note some victims may not have needed to pay: In a BleepingComputer forum, a Tycoon victim posted a private RSA key that presumably came from a decryptor they bought from the attackers. This key could be used to decrypt files infected with the earliest version of Tycoon, which had a .redrum extension.

Researchers also noticed an overlap between Tycoon and the Dharma/CrySIS ransomware — in particular, the email addresses, ransom note text, and naming convention for encrypted files. Dharma/CrySIS appeared last year and didn't go away, Teodorescu says. When Tycoon appeared in December, researchers noticed the .redrum extension, which was also seen in the earlier Dharma/CrySIS campaigns. Like Tycoon, Dharma/CrySIS exploited weak credentials on RDP to break in. While there was no mention of Java in these attacks, the attackers were also living off the land.

Malware writers are constantly seeking new ways to evade detection, researchers state in their blog post. Now, they say, attackers are moving away from conventional obfuscation and toward uncommon programming languages and obscure data formats. They note a "substantial increase" in ransomware written in Java, Go, and other languages. 

For businesses that want to better protect against Tycoon, Teodorescu advises first making sure they know their infrastructure: "Have a clear methodology of auditing credentials, patching your operating system, patching web servers, [and] making sure you have cyber hygiene methodology in place for your organization," he says.

Related Content:

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5595
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a buffer overflow vulnerability, which may allow a remote attacker to stop the network functions of the products or execute...
CVE-2020-5596
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) does not properly manage sessions, which may allow a remote attacker to stop the network functions of the products or execute a mali...
CVE-2020-5597
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a null pointer dereference vulnerability, which may allow a remote attacker to stop the network functions of the products o...
CVE-2020-5598
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper access control vulnerability, which may which may allow a remote attacker tobypass access restriction and stop ...
CVE-2020-5599
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper neutralization of argument delimiters in a command ('Argument Injection') vulnerability, which may allow a remo...