A new ransomware strain dubbed Tycoon is out in the wild ready to attack Linux and Windows machines. It is using a little-know Java image format as part of its kill chain.
Encased in a trojanized version of the Java Runtime Environment (JRE), researchers at BlackBerry Cylance pointed out that Tycoon has been around since December 2019. It has been targeting several industries, including those belonging to software development and education, ranging from small- to medium-sized organizations.
"Tycoon has been in the wild for at least six months, but there seems to be a limited number of victims," the researchers noted, in a blog post. "This suggests the malware may be highly targeted. It may also be a part of a wider campaign using several different ransomware solutions, depending on what is perceived as more successful in specific environments."
The researchers, who have been working with KPMG's UK Cyber Response Services, studied a targeted attack using the Tycoon malware on a business' file servers and domain controller. They reached a conclusion that the ransomware has distinct techniques that make it noteworthy and unusual.
A distinct technique of the ransomware is that it's sent in a .ZIP compressed archive that houses a trojanized JRE build. Tycoon is compiled into a Java image file (JIMAGE), which is a special file format used to store class and resource files of multiple Java modules to support custom JRE. Unlike the Java Archive format (JAR), it's not popular among developers.
The ransomware is activated by running a shell script that executes the main malicious Java module, which is either a Linux or Windows version. The project's BuildConfig file has a configuration file stored in it, which contains the email address of the attacker, the inclusions of the ransom note, an RSA public key, a set of shell commands to be executed, and an exclusions list. The commands, according to researchers, include instructions on how to encrypt the files found on the attacked device.
It's not clear who authored the Tycoon ransomware, but researchers noticed some clues and similarities with an already identified malware, the Dharma/CrySIS ransomware. They noticed the connection through the naming convention used for encrypted files and the text of the ransom note.
The CrySIS ransomware emerged in 2016. The ransomware encrypts and deletes all file types, including executables, and drops a copy of itself in multiple locations. It spread through links in spam messages and via email attachments with double file extensions.
