A new ransomware family, Tycoon, was reported by analysts at BlackBerry to be targeting Windows® and Linux® systems using a Trojanized Java Runtime Environment (JRE) and leveraging a JIMAGE file to evade detection. The JIMAGE file format is a special file format used to store custom JRE images used by the Java Virtual Machine at runtime. These files are similar to JAR, however they’re mostly internal to the Java Development Kit and are rarely used by developers.
In order to establish persistence, the attackers take advantage of a little-known technique called Image File Execution Options (IFEO) injection. IFEO settings are a series of registry keys that define how a file should be opened (what program opens it, whether a debugger should be attached, etc.) In this situation, the attackers set the On-Screen Keyboard IFEO key so that when the OSK.exe program is launched, the malware is also launched. The attackers were able to easily disable anti-virus software using the freely available program Process Hacker 2. They also used Mimikatz to recover plain-text passwords from memory and changed the passwords to the administrators’ accounts to take complete control of servers before beginning the process of encrypting all the files.
As the main infection vector used by this ransomware is highly targeted malspam campaigns, Binary Defense recommends using extreme care when opening emails from untrusted sources. Additionally, once the actors have gained access to a network, they seem to primarily access the network over unsecured Internet-facing RDP servers. A best practice is to protect RDP servers behind a VPN or a hardened Remote Desktop Gateway server, rather than leave RDP directly exposed to the Internet. Binary Defense recommends implementing 24/7 monitoring of Endpoint Detection and Response (EDR), so that unexpected RDP connections and attacker behaviors such as running Mimikatz and killing anti-virus programs can be detected, and the attackers’ access to systems can be cut off quickly.