Fraud Management & Cybercrime
,
Ransomware
New Ransomware Possibly Linked to Earth Baxia
A previously uncatalogued ransomware strain is targeting public sector and aviation organizations in the Middle East. The threat actor uses techniques similar to a previously documented hacking group likely based in China.
Operators of the ransomware, which appends encrypted files with a .Charon extension, use techniques reminiscent of a nation-state threat actor. Charon hackers choose their targets rather than attacking opportunistically, says analysis from Trend Micro. In Greek mythology, Charon ferries dead souls into the underworld.
A “distinctive DLL sideloading methodology” points to potential overlap with a China-based threat actor, tracked by Trend Micro as Earth Baxia. The cybersecurity firm in fall 2024 spotted Earth Baxia deploying Cobalt Strike components and a backdoor primarily against agencies, telecommunication businesses, and the energy industry in the Asia Pacific region. A decoy document used in the infection chain written in simplified Chinese suggested that Chinese organizations may also have been targets, but Trend Micro said it couldn’t confirm that.
Trend Micro researchers did not “definitively attribute” Charon to Earth Baxia since the overlap could represent anything from direct involvement to imitation or independent development of similar tactics.
Regardless of its attribution, the techniques used to deliver the ransomware are a caution to enterprises, Trend Micro said. Charon operators are using techniques once the provenance of nation-state groups and “even well-defended networks can be compromised.” Some researchers have separately found increased evidence of collaboration between nation-state groups and ransomware operators, who can provide a cover for cyberespionage (see: APT Groups Using Ransomware ‘Smokescreen’ for Espionage).
Charon malware masquerades as a legitimate Windows Service Host process. The infection begins with hackers executing a legitimate Edge browser binary for importing and exporting cookies, using it to sideload a malicious DLL named msedge.dll, also known as Swordldr. That downloads an embedded ransomware payload and injects it into a newly spawned svchost.exe process. “This technique allows the malware to masquerade as a legitimate Windows service, bypassing usual endpoint security controls.”
Before swinging into its encryption routine, Charon malware stops security-related services and terminates active processes. It also deletes shadow copies and backup files. As an aid to speedy encryption, it checks the number of processor cores available on the system and creates multiple file encryption threads. It avoids encrypting executable and DLL files.
Encrypted files are appended with .Charon and an infection marker stating “hCharon is enter to the urworld!”
