A new ransomware strain called Charon has been making headlines after targeting organizations in the Middle East. The main victims are from the public sector and aviation industry. What makes this attack more dangerous than usual is that the hackers are using techniques normally seen in nation-state cyber espionage groups. This makes the ransomware much harder to detect and stop.
The Charon ransomware campaign is not random. It is a targeted operation where the attackers customize ransom notes to include the name of the organization they’ve compromised. This shows that they research their victims in advance, aiming for high-value and critical targets rather than going after just anyone.
The attack starts by abusing a legitimate Windows program called Edge.exe. Originally named cookie_exporter.exe, this program is used to load a malicious DLL file named msedge.dll also known as SWORDLDR. This loader is the key to delivering the ransomware payload into the system without raising immediate suspicion.
To hide the real malicious code, the attackers store it in a file called DumpStack.log. At first glance, it looks like a harmless log file, but it actually contains encrypted shellcode. When decrypted, this shellcode reveals the Charon ransomware payload, which is then injected into a Windows process called svchost.exe. This technique makes it blend in with normal system activity, reducing the chances of being detected by security tools.
Once inside the system, Charon quickly moves to disable security defenses. It shuts down antivirus software, stops security-related services, deletes shadow copies (which are used for system recovery), and even empties the Recycle Bin. The ransomware then encrypts files using multiple threads to speed up the process. Encrypted files are given the “.Charon” extension, and each one carries a small infection marker that reads: “hCharon is enter to the urworld!”.
The ransom note left behind is titled “How To Restore Your Files.txt” and contains instructions for paying the ransom. Since these notes are tailored to each victim, it’s clear the attackers are not using a mass-distribution approach.
Charon’s encryption method uses a combination of Curve25519 and ChaCha20 algorithms. Smaller files are fully encrypted, while larger ones are only partially encrypted to make the process faster without reducing the damage caused.
Interestingly, the tactics and tools used in these attacks show similarities to those linked to a known China-based espionage group called Earth Baxia. However, there is no confirmed proof that this group is behind Charon. The similarities could be the result of copied techniques, shared tools, or simply coincidence.
Another technical detail worth noting is that the ransomware includes a driver based on the public Dark-Kill project. This type of driver can be used in BYOVD (bring your own vulnerable driver) attacks, where hackers disable endpoint detection and response (EDR) software. In the current attacks, this driver was present but not activated, suggesting it might be reserved for future campaigns.
This attack highlights a worrying trend: ransomware gangs are now borrowing methods from advanced persistent threat (APT) groups. This combination of stealth and destructive power makes these attacks much harder to detect and respond to. For industries like aviation and public services, where downtime can have severe consequences, the stakes are extremely high.
The Charon ransomware case is a reminder that organizations need to go beyond basic security measures. Defenses should include monitoring for unusual process behavior, blocking unauthorized DLL loading, securing backup systems, and preventing attackers from disabling security tools. Even well-protected systems can be at risk when facing attackers that operate with such precision and planning.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
