Tycoon malware: What it is, how it works and how to prevent it | Malware spotlight - Security Boulevard

Tycoon malware: What it is, how it works and how to prevent it | Malware spotlight

Introduction

It has been said that a picture is worth a thousand words. In the world of malware, a picture is worth an infection — in other words, a picture can actually be the malware (ransomware, specifically in this case) that initially infects the compromised machine. This malware is called Tycoon and it uses an obscure image format to infect machines and inflict its ransomware chaos onto the compromised machine. 

This article will explore the Tycoon ransomware and detail what Tycoon is, how it works and how to prevent it.

What is Tycoon?

Tycoon is a ransomware that has been observed in the wild since December 2019. While its victim profile is relatively small, it targets small- and medium-sized businesses operating in both the software and educational fields. This has led researchers to conclude that its use is highly targeted, which means that its operators will selectively use the malware in situations where it is most likely to be successful.

Though deployed manually like many other ransomwares, what sets Tycoon apart is the fact that its operators spread Tycoon around with a zip file that contains what is called a Trojanized Java Runtime Environment build (JRE). It is compiled into a rarely seen file type called a Java image file (JIMAGE) that many (including myself) were not even aware existed. It is actually a little astonishing that this file format has not been more widely used in malware campaigns, due to the miniscule memory footprint that it leaves. More on this point later.

The combined usage of JRE and JIMAGE to infect systems with malware and ransomware means that it will not be spread via malspam and phishing campaigns. Rather, Tycoon is designed to be spread manually and faces the related challenges of manually spread malware such as a (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/59PPZfLHez0/