Tycoon Ransomware Banks on Unusual Image File Tactic

2020-06-04 20:55

A new ransomware strain called Tycoon is seeking to wheel and deal its way into the Windows and Linux worlds, using a little-known Java image format as part of its kill chain.

Working with KPMG's UK Cyber Response Services, the researchers analyzed a targeted attack using the previously unknown malware on an organization's domain controller and file servers.

JIMAGE is a special file format used to store class and resource files of multiple Java modules to support custom JRE. It's rarely used by developers - unlike its cousin, the popular Java Archive format, researchers said.

"Because of the use of asymmetric RSA algorithm to encrypt the securely generated AES keys, the file decryption requires obtaining the attacker's private RSA key," researchers explained.

The analysis flagged a few other novel approaches in Tycoon, including the use of Image File Execution Options injection to achieve persistence on the victim's machine.

News URL

https://threatpost.com/tycoon-ransomware-unusual-image-file-tactic/156326/

#bank #ransomware