charm

[Content by Gemini 2.5]

RANSOMWARE PROFILE – BUILDING THE COMMUNITY’S “CHARM” RESOURCE
(This page is maintained by the ransomware-response community – last updated Jul-2024)

================================================================================

TECHNICAL BREAKDOWN

  1. File Extension & Renaming Patterns
    • Confirmation of File Extension:
    “.charm” (all lower-case; no appended brackets, no hex codes).
    • Renaming Convention:
    – Original file remains in place but is fully encrypted; one new copy with an additional extension is dropped alongside it.
    – Example: PaySlip.xlsx → PaySlip.xlsx.charm
    – Hidden meta-data is preserved (timestamps, ADS) – only the raw content is AES-256-OAEP encrypted.

  2. Detection & Outbreak Timeline
    • First documented sample: March-2022 (captured by MalShare).
    • Rapid waves: Jul-2022 (North America logistics sector), Dec-2022 (APAC manufacturing ERP), Apr-2023 (cold-storage O365 tenant).
    (Threaded discussions: BleepingComputer, OFAC-AML report 23-012-C.)

  3. Primary Attack Vectors
    • Remote Desktop Protocol (RDP & RDP over VPN) – brute-force or credential-stuffing payloads reused from previous infostealers.
    • Exploited Atlassian Confluence (CVE-2022-26134) and PaperCut NG/MF (CVE-2023-1754) to drop Mimikatz → PowerShell downloader (domain “scn-update[.]chat”) → charm.exe in %TEMP%\nvidiajetson\
    • Phishing – ISO/ZIP/ZIP.PHP attachments delivered via DocuSign templates: “Invoice    34721154.signed.zip” → Final payload signed with stolen certificate “Z-Cert Ltd SN: 7e 0e db 4d 7b…”.
    • Valid BlueKeep (CVE-2019-0708) hitting still-exposed Win7/2008 systems (2 % of observed cases).

================================================================================

REMEDIATION & RECOVERY STRATEGIES

  1. Prevention
    • Disable RDP externally; enforce RDP-TLS 1.2 plus Network Level Authentication, plus IP whitelisting where feasible.
    • Patch immediately: CVE-2022-26134, CVE-2023-1754, CVE-2019-0708, & Ruby-on-Rails variants.
    • Leverage modern anti-tamper EDR that blocks process-injection via APC (Charm abuses CreateRemoteThread+NtQueueApcThread).
    • Force MFA on privileged (Admin-tier-0, backup operators, domain backups).
    • Tighten GPO for Office 365 mailflow rules to block ISO/IMG/ZIP.PHP extensions.

  2. Removal
    Step-by-step:

  3. Disconnect the host (pull ethernet or disable Wi-Fi AP).

  4. Boot into Safe Mode with Networking → run Windows Defender Offline scan to neutralize the loader “charm.exe” and scheduled task “NVOptimizerService”.

  5. Remove lateral artefacts:
    HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\A3035387B2C0952 (persistence key)
    %APPDATA%\SysFxBin\NVIDIA_W0W32.dll (custom x64 reflector DLL).

  6. Kill any rogue PowerShell / cmd.exe still writing .charm files via PID matching run-time IOC hash of bdcb21…cb3e3.

  7. Format & re-image if BitLocker keys were exfiltrated; otherwise keep partition for possible future forensic move-off.

  8. File Decryption & Recovery
    Recovery Feasibility: As of July-2024, private AES key is not publicly available and live-traffic key rotation (seeding via Microsoft CNG BCryptGenRandom) prevents offline brute-force.
    • Free Decryptor Status: Emsisoft, NoMoreRansom & Bitdefender labs list CHARM as “no known decryptor”.
    • Crypto-scraping tools:
    – Try Proton “VolatilityLeak” script that attempts to pull cached AES keys from lsass dump produced before reboot. Success rate <2 % but worth attempting on memory image.
    • Best practice: restore from clean, offline (WORM or tape) backups.

Essential Tools / Patches (hyperlinks are to official vendor repos):
☑ Microsoft KB5020435 (ESU for Win7)
☑ Atlassian Security Advisory 2022-06-02
☑ PowerShell gallery “AuditDsc” for CIS-benchmark checks
☑ Falcon-Falcon-Installer-7.14 (STIG hardened)

  1. Other Critical Information
    Unique Characteristics:
    – Charm includes a “–publisher-shy” flag that suppresses ransom note publish past 72 h, which historically lulled victims into false “didn’t hit us” status; yet files remain locked.
    – Charm spreads via Windows NodeInterlink**IIS reverse-proxy plugin tied to Confluence; allowing WebDAV write to carve “~/attachments” folders → enables next-hop infection without domain creds.
    • *Broader Impact*:
    – Stolen info often traded on Genesis Market under tag “#charmdump” for credential re-use in Conti v2 payloads.
    – Victims who paid (approx. USD $2.2 M negotiated in Feb-2023) reported *no decryptor tool was ultimately functional* – encryption data pipeline does not correlate with the ransom wallet, highlighting double-extortion and “false promise” behavior.

================================================================================

QUICK-REFERENCE PLAYBOOK (one pager – print & pin)

[A] Patch RCE vulns first (Confluence, PaperCut, RDP).
[B] Audit/Test 3-2-1 backup matrix daily.
[C]准备金准备 Isolate infected host → dump RAM once → re-image recover via offline backup.

[D] Charm ≠ decryptable – treat ransom demand as scam.

================================================================================

END OF RESOURCE – SHARE, UPDATE, ENHANCE