A new ransomware family, Tycoon, was reported by analysts at BlackBerry to be targeting Windows® and Linux® systems using a Trojanized Java Runtime Environment (JRE) and leveraging a JIMAGE file to evade detection. The JIMAGE file format is a special file format used to store custom JRE images used by the Java Virtual Machine at runtime. These files are similar to JAR, however they’re mostly internal to the Java Development Kit and are rarely used by developers.
In order to establish persistence, the attackers take advantage of a little-known technique called Image File Execution Options (IFEO) injection. IFEO settings are a series of registry keys that define how a file should be opened (what program opens it, whether a debugger should be attached, etc.) In this situation, the attackers set the On-Screen Keyboard IFEO key so that when the OSK.exe program is launched, the malware is also launched. The attackers were able to easily disable anti-virus software using the freely available program Process Hacker 2. They also used Mimikatz to recover plain-text passwords from memory and changed the passwords to the administrators’ accounts to take complete control of servers before beginning the process of encrypting all the files.