Cybersecurity researchers have uncovered a new and highly sophisticated ransomware family named Charon, which has been deployed in targeted attacks against the public sector and aviation industry in the Middle East. The threat actors behind these attacks are using tactics typically associated with advanced persistent threat (APT) groups, a concerning convergence of methods that elevates the risk for targeted organizations. The attack chain begins with a technique called DLL side-loading, where the attackers leverage a legitimate application—in this case, an Edge.exe file—to load a malicious DLL. This malicious DLL, disguised as msedge.dll, then proceeds to decrypt and inject the Charon ransomware payload into a legitimate Windows service, svchost.exe, making it incredibly difficult for standard security tools to detect and stop the malicious activity. This layered approach to payload delivery and process injection is a hallmark of sophisticated cyber espionage and reflects a significant leap in ransomware capabilities.
Once deployed, Charon exhibits a range of advanced features designed to maximize damage and impede recovery. The ransomware uses a multi-stage payload extraction process, where encrypted code is hidden within seemingly innocuous files like DumpStack.log, before being unpacked and executed. This technique adds another layer of stealth and complexity to the attack. The ransomware itself is designed for efficiency and stealth; it leverages multithreading to speed up the encryption process and uses a Curve25519 + ChaCha20 algorithm to partially encrypt files. This partial encryption, which avoids certain file extensions, is a strategic choice meant to hasten the process while still rendering files unusable. To further complicate recovery, Charon deletes backups and the contents of the Recycle Bin. The malware also drops victim-specific ransom notes, a tactic that suggests a highly targeted and methodical approach rather than a broad, opportunistic campaign.
One of Charon’s most notable features is its ability to evade Endpoint Detection and Response (EDR) solutions. The ransomware contains a driver compiled from the open-source Dark-Kill project, which is designed to perform a “bring your own vulnerable driver” (BYOVD) attack to disable security tools. Although this specific functionality was not observed to be triggered in the attacks, its presence indicates that the developers are actively working on advanced evasion techniques. This dormant capability is a clear warning sign of future developments and underscores the threat actors’ long-term intent and technical prowess. The presence of this un-triggered but fully functional code suggests an ongoing development cycle and a desire to build a robust, constantly evolving toolkit.
Charon also possesses strong network propagation capabilities. The ransomware actively scans for and encrypts accessible network shares using Windows functions like NetShareEnum and WNetEnumResource. It processes both mapped drives and Universal Naming Convention (UNC) paths, allowing it to move laterally across an organization’s network and infect multiple systems. Interestingly, it is programmed to skip ADMIN$ shares to avoid detection, which again points to a sophisticated understanding of network administration and security protocols. This selective targeting and propagation capability further reinforce the idea that these are not random attacks but carefully planned operations. The use of a mutex, OopsCharonHere, also helps to ensure that only a single instance of the ransomware is running on a machine at a time, a small detail that speaks to the professionalism of the attackers.
A Growing Threat Landscape
The emergence of Charon highlights a troubling trend in the cybersecurity landscape: the blending of APT-style tactics with ransomware operations. This convergence means that ransomware is no longer just a financial nuisance but can be part of a larger, more destructive and strategic campaign. While the full extent of Charon’s capabilities is still being unraveled, the current findings from Trend Micro researchers indicate a serious threat to organizations, particularly those in critical sectors. The campaign’s use of targeted attacks, sophisticated evasion techniques, and potential false flags—such as similarities to China-linked Earth Baxia operations—demands that organizations bolster their defenses and remain vigilant against these evolving and increasingly dangerous threats.
Reference:
