Charon Ransomware Targets Middle East with Advanced Persistent Threat (APT) Attack Methods
A new campaign of Charon ransomware has been discovered, targeting the Middle East's public sector and aviation industry. The threat actor behind this activity has employed tactics mirroring those of advanced persistent threat (APT) groups, such as DLL side-loading, process injection, and endpoint detection and response (EDR) evasion.
Trend Micro researchers have uncovered Charon, a new ransomware family that is using APT-style tactics to target specific organizations. The experts found similarities with techniques used by China-linked Earth Baxia operations but could also be a false flag or copycat.
Characteristics of the Charon Ransomware
The Charon ransomware attack uses partial encryption, disables security tools via Bring Your Own Vulnerable Driver (BYOVD), and issues victim-specific ransom notes. This suggests that the campaign is targeted, with a focus on specific organizations rather than random attacks.
Attack Chain and Delivery Method
The attack chain leveraged a legitimate browser-related file, Edge.exe (originally named cookie_exporter.exe), to sideload a malicious msedge.dll (SWORDLDR). This technique allowed the ransomware payload to be decrypted and injected into svchost.exe, which evaded detection.
The multistage payload extraction involved DumpStack.log, hiding encrypted shellcode that unpacked further layers until the final ransomware executable was obtained. This layered encryption and process injection allowed Charon to masquerade as a legitimate Windows service while encrypting files and creating ransom notes.
Operational Capabilities of Charon Ransomware
The fully deobfuscated Charon ransomware shows advanced encryption and operational capabilities. It accepts command-line arguments to log errors, target specific network shares or paths, and change encryption order.
The malware creates a mutex (“OopsCharonHere”) and disables security tools using a driver compiled from the open-source Dark-Kill project. The ransomware deletes backups and Recycle Bin contents to maximize disruption. It also uses multithreading to speed up the encryption process.
Spread and Ransom Notes
The malware spreads via network shares, drops victim-specific ransom notes, and contains a dormant Dark-Kill–based EDR-disabling driver, suggesting ongoing development.
"Beyond its core encryption functionality, Charon also exhibits several other notable behaviors," said the report. "It demonstrates network propagation capabilities, actively scanning for and encrypting accessible network shares across the infrastructure via NetShareEnum and WNetEnumResource."
Conclusion
"Without corroborating evidence such as shared infrastructure or consistent targeting patterns, we assess this attack demonstrates limited but notable technical convergence with known Earth Baxia operations," concludes the report.
This case exemplifies a concerning trend: the adoption of APT-level techniques by ransomware operators. As organizations face increasing risks from these types of attacks, it is essential to stay vigilant and adopt robust cybersecurity measures to protect against these threats.