A sophisticated new ransomware family called Charon has emerged in the cybersecurity landscape, targeting organizations in the Middle East’s public sector and aviation industry with advanced persistent threat (APT) techniques typically reserved for nation-state actors.
The ransomware campaign represents a concerning evolution in cybercriminal operations, combining stealth, precision, and destructive capabilities to maximize impact on victim organizations.
The threat actors behind Charon demonstrate remarkable technical sophistication by employing DLL sideloading techniques that closely mirror tactics previously documented in Earth Baxia campaigns, which have historically focused on government sectors.
The attack chain begins with the execution of a legitimate Edge.exe binary, originally named cookie_exporter.exe, which is then abused to sideload a malicious Dynamic Link Library (DLL) file named msedge.dll, internally designated as “SWORDLDR.”
Trend Micro researchers identified this campaign through forensic investigation after initially missing a critical component called DumpStack.log in their telemetry.
Upon recovery and analysis of this file, they discovered it contained encrypted shellcode that, when decrypted, revealed the Charon ransomware payload.
The ransomware’s custom ransom note specifically references victim organizations by name, confirming this as a targeted operation rather than an opportunistic attack.
.webp "New Charon Ransomware Employs DLL Sideloading, and Anti-EDR Capabilities to Attack Organizations 3")
The malware’s deployment strategy involves a sophisticated multistage payload extraction technique. The SWORDLDR component loads the seemingly benign DumpStack.log file, which actually contains multiple layers of encrypted shellcode.
After decryption of the first layer, an intermediate payload emerges with embedded configuration data specifically indicating the use of svchost.exe for process injection, as shown in the recovered code structure.
Advanced Evasion and Encryption Mechanisms
Charon’s technical architecture reveals several advanced capabilities designed to evade detection and maximize encryption efficiency.
The ransomware creates a mutex named “OopsCharonHere” to prevent multiple instances from running simultaneously.
.webp "New Charon Ransomware Employs DLL Sideloading, and Anti-EDR Capabilities to Attack Organizations 4")
Before initiating encryption, it systematically disables security-related services and terminates active processes, including antivirus and endpoint protection software.
The malware employs a hybrid cryptographic scheme combining Curve25519 elliptic curve cryptography with the ChaCha20 stream cipher.
It generates a 32-byte random private key using Windows’ cryptographic functions, then creates a public key combined with a hardcoded public key embedded in the binary to establish a shared secret.
This sophisticated encryption approach includes partial file encryption strategies based on file size, with smaller files receiving full encryption while larger files have strategic chunks encrypted at specific positions.
Perhaps most concerning is Charon’s inclusion of anti-EDR capabilities derived from the public Dark-Kill project.
The ransomware attempts to drop a driver as WWC.sys and register it as the “WWC” service, though analysis revealed this component remains dormant in current variants, suggesting ongoing development for future versions.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
