Trend Micro researchers have uncovered a novel ransomware family dubbed Charon, deployed in a sophisticated campaign targeting the public sector and aviation industry in the Middle East.
This operation employs advanced persistent threat (APT)-style techniques, including DLL sideloading via a legitimate Edge.exe binary (originally cookie_exporter.exe) to load a malicious msedge.dll loader known as SWORDLDR.
Discovery of Charon in Middle East Operations
The loader decrypts an encrypted shellcode hidden in a file named DumpStack.log, which contains multilayered payloads.
Forensic analysis revealed that the initial decryption layer exposes configuration data specifying process injection into svchost.exe, enabling the malware to masquerade as a legitimate Windows service and evade endpoint security.
A second decryption layer yields the final portable executable (PE) of Charon, which proceeds to encrypt files while appending the .Charon extension and an infection marker “hCharon is enter to the urworld!”
The customized ransom note, referencing the victim organization by name, underscores the targeted nature of the attack, with potential ties to Earth Baxia campaigns due to overlapping toolchains involving encrypted shellcode delivery, though definitive attribution remains elusive without shared infrastructure evidence.
Evasion Mechanisms
Charon exhibits a high degree of sophistication in its encryption and evasion routines. Upon execution, it processes command-line arguments such as –debug for error logging, –shares for targeting network shares (excluding ADMIN$), –paths for specific local or drive encryption, and –sf to prioritize shares over local drives.
It establishes a mutex named OopsCharonHere to prevent multiple instances, then disrupts defenses by terminating security-related processes and services, deleting shadow copies via COM interfaces, and emptying the Recycle Bin.
Leveraging multithreading based on available processor cores, Charon accelerates encryption using a hybrid scheme combining Curve25519 elliptic curve Diffie-Hellman for key exchange and ChaCha20 stream cipher for data obfuscation.
A 32-byte random private key generates a public key, which derives a shared secret with an embedded hardcoded key, producing a 256-bit ChaCha20 initialization vector.
Encryption is partial for efficiency: full for files under 64KB, three chunks for 64KB-5MB, five for 5MB-20MB, and seven strategically placed chunks for larger files, each appended with a 72-byte footer containing the victim’s public key and metadata.
Notably, it skips .exe, .dll, .Charon files, and its own ransom note “How To Restore Your Files.txt.” Charon also scans and encrypts network shares via NetShareEnum and WNetEnumResource, enhancing lateral propagation.
Embedded within its binary is an anti-EDR driver from the public Dark-Kill project, intended for deployment as WWC.sys to disable endpoint detection tools, though it remains inactive in this variant, suggesting ongoing development.
This ransomware’s fusion of APT tactics with rapid encryption poses severe risks, including data loss, operational downtime, and financial extortion through tailored demands.
The campaign’s stealth, via sideloading and injection, highlights a trend where ransomware operators adopt evasion methods like process hollowing and anti-EDR payloads to bypass traditional defenses.
Organizations face compounded threats from potential data exfiltration and recovery challenges, amplified by the deletion of backups.
To counter Charon, security teams should implement layered defenses: restrict DLL loading in vulnerable directories, monitor anomalous process chains involving signed binaries like Edge.exe spawning svchost.exe, and ensure EDR solutions resist tampering.
Limiting lateral movement through strong authentication, disabling unnecessary admin shares, and maintaining offline immutable backups are essential.
User training on phishing avoidance and least-privilege access further reduces initial compromise risks, while proactive threat hunting using IOCs can preempt attacks.
As ransomware evolves toward APT convergence, enterprises must prioritize resilience with integrated intelligence and response frameworks to mitigate these escalating cyber threats.
AWS Security Services: 10-Point Executive Checklist - Download for Free
Source link
