Charon Ransomware
Cybersecurity experts have uncovered a fresh ransomware campaign leveraging a previously unknown strain named Charon, aimed specifically at the public sector and aviation industry in the Middle East. The operation displays a high level of sophistication, with tactics typically associated with advanced persistent threat (APT) actors.
Table of Contents
Borrowing Tactics from APT Playbooks
The attackers employed advanced techniques such as DLL side-loading, process injection, and evasive maneuvers designed to bypass endpoint detection and response (EDR) tools. Notably, the DLL side-loading approach mirrors methods observed in attacks by Earth Baxia, a China-linked hacking group known for targeting government entities in Taiwan and the Asia-Pacific region.
In those past incidents, Earth Baxia had exploited a now-patched flaw in OSGeo GeoServer GeoTools to deliver a backdoor called EAGLEDOOR. In the Charon case, the attack used a legitimate file, Edge.exe (originally cookie_exporter.exe), to load a malicious msedge.dll known as SWORDLDR, which then deployed the Charon ransomware payload.
Capabilities of the Charon Ransomware
Once deployed, Charon behaves like other destructive ransomware variants, but with optimizations that make it both disruptive and efficient. It can:
- Terminate security-related services and active processes.
- Delete backups and shadow copies to hinder recovery.
- Use multithreading and partial encryption for faster file-locking.
Another interesting feature is its incorporation of a driver compiled from the open-source Dark-Kill project. This enables a bring your own vulnerable driver (BYOVD) attack to disable EDR tools. However, researchers found that this capability is not yet active, suggesting it is still under development.
Signs of a Targeted Operation
Investigators believe this campaign was deliberate rather than opportunistic. This conclusion is based on the presence of a ransom note customized to mention the victim organization by name, a rarity in typical ransomware incidents. The method used for initial access remains unknown.
Uncertain Attribution
While Charon’s techniques share similarities with Earth Baxia’s operations, experts caution that this overlap could indicate:
- Direct involvement of Earth Baxia.
- A false flag operation designed to imitate Earth Baxia.
- A new group independently developing similar tactics.
Without clear evidence like shared infrastructure or consistent targeting patterns, the connection remains speculative.
The Growing Convergence of Cybercrime and Nation-State Tactics
This incident underscores a concerning trend: ransomware groups are increasingly adopting APT-grade methods for intrusion and evasion. The blend of stealthy tradecraft with the immediate financial and operational damage of ransomware encryption significantly raises the stakes for targeted organizations.
