Trend Micro researchers recently identified a new ransomware family called Charon, deployed in a targeted attack observed in the Middle East’s public sector and aviation industry.
The threat actor employed a DLL sideloading technique notably similar to tactics previously documented in the Earth Baxia campaigns, which have historically targeted government sectors. The attack chain leveraged a legitimate browser-related file, Edge.exe (originally named cookie_exporter.exe), to sideload a malicious msedge.dll (SWORDLDR), which subsequently deployed the Charon ransomware payload. Analysis of the msedge.dll component revealed it was designed to load a file named DumpStack.log, which was absent from the Trend Micro initial telemetry.
Read more…
Source:Trend Micro
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Swedish Health Agency shuts down SmiNet after hacking attempts
May 31, 2021
The Swedish Public Health Agency (Folkhälsomyndigheten) has shut down SmiNet, the country’s infectious diseases database, on Thursday after it was targeted in several hacking attempts. SmiNet, which is also used to store electronic reports with statistics on COVID-19 infections, was shut down on Thursday to investigate the attacks and was brought back online on Friday evening. Read ...
- ‘We won’t pay ransom,’ says Ireland after attack on health service
May 17, 2021
Ireland’s Health Service Executive (HSE) has ruled out giving in to hackers’ demands as the country’s healthcare and social services continue to deal with the disruption caused by a significant ransomware attack that occurred a few days ago. The HSE has now confirmed that a ransom has been sought by the attackers, although the exact amount ...
- How UK National Health Service learned the lessons of WannaCry to protect hospitals from attack
May 13, 2021
Four years ago, the UK’s National Health Service suddenly found itself one of the most high-profile victims of a global cyberattack. On 12 May 2017, WannaCry ransomware hit organisations around the world, but hospitals and GP surgeries throughout England and Scotland were particularly badly affected. A significant number of services were disrupted as malware encrypted computers ...
- Incremental improvements are not enough as Biden signs order boosting US cyber posture
May 13, 2021
United States President Joe Biden signed an executive order on Wednesday to boost the cyber posture of the federal government. The order points to recent incidents including the ransomware attack on Colonial Pipeline, Exchange vulnerabilities that led to the FBI removing web shells from US servers, and the SolarWinds attack. The order said the federal government must ...
- DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks
May 11, 2021
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are aware of a ransomware attack affecting a critical infrastructure (CI) entity—a pipeline company—in the United States. Malicious cyber actors deployed DarkSide ransomware against the pipeline company’s information technology (IT) network. At this time, there is no indication that the entity’s ...
- Industrial Cybersecurity: Guidelines for Protecting Critical Infrastructure
May 11, 2021
Over the weekend, the Alpharetta, GA based Colonial Pipeline was hit by an extensive ransomware attack that shut down its information technology (IT) and industrial operational technology (OT) systems. Simply put, an all-too-common ransomware event targeting IT systems encouraged a voluntary shutdown on the production side (OT) of the business to prevent further exposure. Colonial ...