Tycoon Ransomware … Hides first and hit hard

Tycoon ransomware uses an uncommon data format to evade security defenses

A new Java-based ransomware strain dubbed ‘Tycoon’ is being deployed using an uncommon data format in an effort to evade security defenses.Tycoon is a multi-platform ransomware targeting both Windows and Linux devices.

The malware, first seen in the wild in December 2019, is deployed in the form of trojanized Java Runtime Environment (JRE) and leverages an obscure Java image in an attempt to “fly under the radar”.

Hide with the Vengence

An investigation of an intrusion into an unnamed European educational institution, threat actors were able to bypass security and gain access to critical enterprise servers.

This, the researchers say, paints a picture of how attackers are “shifting away from conventional tactics towards uncommon programming languages and data formats”.

The main thing that makes Tycoon stand out is that it was written in Java and deployed from an uncommon Java Image format (JIMAGE).

Java is seldom used to write endpoint malware because it requires the Java Runtime Environment to be able to run the code.

Most of the known Java-based malware uses the Java Archive format (JAR), but we haven’t seen malware using JIMAGE format before.

“The advantage of writing malware in Java is the portability between operating systems, while using uncommon file format helps the malware fly under the radar.”

Rising from obscurity

Last week Microsoft issued a notice against another Java based infection PonyFinal. This comes in continuation to that warning

Microsoft said the PonyFinal threat actors have primarily targeted endpoints that already have JRE installed.

There are some key differences between the two campaigns.

“Tycoon comes bundled together with a custom JRE build, so it does not rely on a Java environment being installed on the victim’s machine,”

“Unlike PonyFinal, the malicious module is compiled into a JIMAGE, which is significantly less common than JAR.”

Highly targeted

Although Tycoon has been active for at least six months, there have been a limited number of victims.

“Malware writers are constantly seeking new ways of flying under the radar,”

“They are slowly moving away from conventional obfuscation and shifting towards uncommon programming languages and obscure data formats.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s