Cracked software has been seen to be a common way for the ransomware strain known as DJVU to spread.
“While this attack pattern is not new, incidents involving a DJVU variant that appends the .xaro extension to affected files and demanding ransom for a decryptor have been observed infecting systems alongside a host of various commodity loaders and infostealers,” Ralph Villanueva, a security researcher at Cybereason
The American cybersecurity company has given the latest version the codename Xaro.
As a subtype of the STOP ransomware, DJVU usually poses as trustworthy programs or services when it first appears. It is also sent with SmokeLoader as a payload.
The use of additional malware, such as information stealers (like RedLine Stealer and Vidar), is a crucial component of DJVU assaults, which increases their potential for harm.
Cybereason has described the most recent attack chain in which Xaro is distributed as an archive file from a questionable website that poses as a source of genuine shareware.
When the ZIP file is opened, a pay-per-install malware downloader service named PrivateLoader is launched. This binary is said to be an installer for CutePDF, a program that creates PDFs.
On the other hand, PrivateLoader drops Xaro and connects to a command-and-control (C2) server in order to get a variety of stealer and loader malware families, including RedLine Stealer, Vidar, Lumma Stealer, Amadey, SmokeLoader, Nymaim, GCleaner, and Fabookie.
“This shotgun-approach to the download and execution of commodity malware is commonly observed in PrivateLoader infections originating from suspicious freeware or cracked software sites,” Villanueva said.
It looks that the objective is to get and exfiltrate private data in order to conduct double extortion. It also seems to be to make sure that the attack will succeed even in the event that security software blocks one of the payloads.
In addition to launching a Vidar infostealer instance, Xaro can encrypt files on the compromised host and then leave a ransom note asking the victim to contact the threat actor in order to pay $980 for the private key and the decryptor tool. If the victim pays the ransom within 72 hours, the price drops to $490.
The behavior, if anything, highlights the dangers of getting freeware from unreliable sources. Sucuri revealed details of a different campaign last month called FakeUpdateRU, in which users of hacked websites receive phony browser update notifications that include RedLine Stealer.
“Threat actors are known to favor freeware masquerading as a way to covertly deploy malicious code,” Villanueva stated. “The speed and breadth of impact on infected machines should be carefully understood by enterprise networks looking to defend themselves and their data.”
