Introduction

It has been said that a picture is worth a thousand words. In the world of malware, a picture is worth an infection — in other words, a picture can actually be the malware (ransomware, specifically in this case) that initially infects the compromised machine. This malware is called Tycoon and it uses an obscure image format to infect machines and inflict its ransomware chaos onto the compromised machine. 

This article will explore the Tycoon ransomware and detail what Tycoon is, how it works and how to prevent it.

What is Tycoon?

Tycoon is a ransomware that has been observed in the wild since December 2019. While its victim profile is relatively small, it targets small- and medium-sized businesses operating in both the software and educational fields. This has led researchers to conclude that its use is highly targeted, which means that its operators will selectively use the malware in situations where it is most likely to be successful.

Though deployed manually like many other ransomwares, what sets Tycoon apart is the fact that its operators spread Tycoon around with a zip file that contains what is called a Trojanized Java Runtime Environment build (JRE). It is compiled into a rarely seen file type called a Java image file (JIMAGE) that many (including myself) were not even aware existed. It is actually a little astonishing that this file format has not been more widely used in malware campaigns, due to the miniscule memory footprint that it leaves. More on this point later.

The combined usage of JRE and JIMAGE to infect systems with malware and ransomware means that it will not be spread via malspam and phishing campaigns. Rather, Tycoon is designed to be spread manually and faces the related challenges of manually spread malware such as a far smaller attack footprint and the (nearly) necessary component of there being a malicious insider at work. This is because it takes someone on the inside to either install the malware onto a system or to make it more likely that infection will occur by placing the infected file into the hands of the target system’s user. 

Either way you slice it, infecting systems with Tycoon is at once deliberate, planned and targeted. You can think of it as fishing with an aquarium net where you know the fish you want, as opposed to harvesting the ocean with a massive net and hoping to get as many fish as you can. 

How does Tycoon work?

The use of JRE and JIMAGE to infect target systems sets Tycoon apart from nearly every other ransomware out there in the wild. Aside from being a rarity in this regard, Tycoon can also infect Windows systems and Linux systems alike. 

If this is leaving you scratching your head, it is because Tycoon is written in Java. This language has been largely relegated to the programmer’s dustbin of history despite being the programming powerhouse of the world for a couple of decades. Attack campaign operators, on the other hand, understand the usefulness of this language: it allows a malware written in that language to infect Linux systems, which are still largely used in the business world today. Being platform-independent also opens up all other operating systems to Tycoon infection (heads up, iOS users!).

Once infection has taken hold on a system where the initial intrusion point has been observed to be an RDP jump-server (facing the internet), operators of Tycoon shift their efforts to maintaining network persistence. 

They use what is called Image File Execution Options Injection, or IFEO. IFEO settings can be found in the Windows Registry and developers normally use them during software debugging. It also gives additional privileges on the network, and Tycoon operators use this to disable anti-malware solutions/software, install backdoors and change Windows active directory passwords. At this point, Tycoon is fully situated to download and deploy the maliciously loaded JRE and JIMAGE and begin its true purpose — holding the files on the target system for ransom.

Tycoon uses an asymmetric encryption algorithm to encrypt the AES keys, which means to decrypt these files the user will need access to the Tycoon operator’s private RSA key. This is an RSA-1024 key and it would take an exceptional amount of computational power to factor.

After infection, the user will be faced with the nearly ubiquitous demand note on their desktop asking for payment in Bitcoin. As a fresh ransomware twist, the operators also offer users a test of their “decryption tool” in hopes to make users pay the ransom. Some third-party anti-malware firms have created decryption tools but they have been reported to only work with the first Tycoon variant.

How to prevent Tycoon

Below are some tips for preventing Tycoon:

  • Tycoon’s victim numbers are still quite small and are highly targeted and the point of infection is typically an internet-facing RDP jump server. Make sure your organization uses SSL/TLS to secure its RDP jump server
  • Apply security updates and patches — this may seem ubiquitous but staying up to date still pays off in terms of security
  • Cybersecurity training programs should cover the fact that ransomware is not spread only through phishing and malvertising but also manually — in which case, the victims will be highly targeted. In Tycoon’s case, the victims have all been in the software and educational fields

Conclusion

Tycoon is a ransomware that has been in the wild since at least December 2019. What makes this ransomware stand apart from the others is it is written in Java and utilizes JRE and JIMAGE to infect target systems. This is due to the fact that Java is a platform-independent language so it can infect systems with any OS. This illustrates that attack groups are expanding into different programming languages to widen their proverbial reach.

 

Sources

Report: Tycoon Ransomware Targets Windows, Linux Systems, BankInfoSecurity

Tycoon Ransomware Banks on Unusual Image File Tactic, ThreatPost

New Tycoon ransomware targets both Windows and Linux systems, Bleeping Computer