Tycoon: Ransomware Targeting Java’s JIMAGE on Multiple Platforms
The Blackberry Research and Intelligence Team and KPMG’s UK Cyber Response Services Team have reported “Threat Spotlight: Tycoon Ransomware Targets Education and Software Sectors.” This report outlines the “multi-platform Java ransomware targeting Windows and Linux that has been observed in-the-wild since at least December 2019” and which they’ve called “Tycoon.”
The report provides a high level description of how the Tycoon ransomware is executed: “Tycoon ransomware comes in form of a ZIP archive containing a Trojanized Java Runtime Environment (JRE) build. The malware is compiled into a Java image file (JIMAGE) located at lib\modules within the build directory.” The report describes the “sparsely documented” JIMAGE “file format file format that stores custom JRE images which is designed to be used by the Java Virtual Machine (JVM) at runtime.” Additional high-level overviews of the JIMAGE file format can be found in JIMAGE – Java Image File Format, How Modules Are Packaged in Java 9, What Is a Custom Runtime Image in Java 9?, So what is a .jimage?, Alan Bateman’s description, and slide 49 of JDK 9 Java Platform Module System. The JIMAGE format was introduced with JDK 9 modularity (Project Jigsaw).
Alan Bateman (owner of JEP 220 [“Modular Run-Time Images”])has explained why it’s difficult to find documentation on the JIMAGE format: “The format is deliberately not documented and best to assume it will change and evolve over time as it inhales new optimizations.” The jdk.jlink module documentation provides very brief mention of the jimage
command-line tool and mentions that it is used “for inspecting the JDK implementation-specific container file for classes and resources.” It also points out that there is no API for accessing jimage
, which is different than for the module’s two other tools (jlink and jmod). Similarly, there is no jimage
tool reference on the “Java Development Kit Version 14 Tool Specifications” page even though jlink
, jmod
, and many other tools are featured there.
The previously mentioned report states that “the ransomware is triggered by executing a shell script that runs the Main function of the malicious Java module using the java -m
command.” The report also talks about Tycoon using Image File Execution Options Injection with Windows registry and then appearing to target Windows and Linux: “The malicious JRE build contains both Windows and Linux versions of this script.” This reports adds that Tycoon’s “Trojanized Java Runtime Environment (JRE) build” exists as a ZIP file placed in lib/module
.
The “Conclusions” section of “Tycoon Ransomware Targets Education and Software Sectors” makes some interesting conclusions based on research observations. In particular, I find it interesting to read why they believe Tycoon in a targeted attack. The authors also point out, “This is the first sample we’ve encountered that specifically abuses the Java JIMAGE format to create a custom malicious JRE build.”
I recommend reading the report “Threat Spotlight: Tycoon Ransomware Targets Education and Software Sectors” directly, but for those interested in summaries and others’ observations related to this report, the following may be of interest.
- A new Java-based ransomware targets Windows and Linux (TechCrunch, TechCrunch)
- This new ransomware is targeting Windows and Linux PCs with a ‘unique’ attack (ZDNet)
- Newly discovered Tycoon ransomware leverages obscure Java image format (Silicon Angle)
- Multi-Platform ‘Tycoon’ Ransomware Uses Rare Java Image Format for Evasion (SecurityWeek)
- There’s a new Java ransomware family on the block (CyberScoop)
The discovery of Tycoon is likely to bring significantly more attention to JIMAGE than ever before.
Published on Java Code Geeks with permission by Dustin Marx, partner at our JCG program. See the original article here: Tycoon: Ransomware Targeting Java’s JIMAGE on Multiple Platforms Opinions expressed by Java Code Geeks contributors are their own. |