The malware attempts to drop this driver as %SystemRoot%\System32\Drivers\WWC.sys and register it as the “WWC” service. However, our analysis revealed that while this anti-EDR component exists in the data section, it remains dormant and is never called during execution. This suggests that the feature is still under development and hasn’t been activated in this variant, possibly reserved for future versions.
Defending against Charon ransomware
Given the Charon threat actor’s blend of stealth, speed, and evasiveness, a multilayered defense is critical. Here are some actionable best practices for security teams:
- Harden against DLL sideloading and process injection by:
- Limiting which executables can run and load DLLs, especially in directories commonly abused for sideloading (e.g., app folders, temp locations).
- Alerting on suspicious process chains, such as Edge.exe or other signed binaries spawning nonstandard DLLs or svchost.exe instances.
- Watching out for unsigned or suspicious DLLs placed next to legitimate binaries.
- ·Ensure that EDR and antivirus agents are running with capabilities that prevent malware from disabling, tampering with, or uninstalling the security…
