DJVU Ransomware’s Stealthy Evolution Masquerading as Cracked Software

A new iteration of the notorious DJVU ransomware, named Xaro, has emerged, showcasing a deceptive distribution tactic through cracked software. This variant, identified by American cybersecurity firm Cybereason, appends the .xaro extension to encrypted files while demanding ransom for a decryption key.

According to the security researcher, this strain of DJVU, camouflaged within cracked software, marks a concerning trend. Incidents involving the .xaro extension have been identified, infiltrating systems alongside a variety of commodity loaders and infostealers.

Originating as a variant of the STOP ransomware, DJVU is adept at masquerading as legitimate software or services and is often disseminated as a payload of SmokeLoader. Notably, DJVU attacks have a potent impact due to their tendency to deploy additional malware, including information stealers like RedLine Stealer and Vidar, amplifying their damaging potential.

The Xaro variant follows a complex attack chain. It is distributed as an archive file from dubious sources, posing as a site offering legitimate freeware. Upon opening the archive, a purported installer for a PDF writing software, CutePDF, is launched. However, this installer is actually a pay-per-install malware downloader service named PrivateLoader.

PrivateLoader establishes contact with a command-and-control server, fetching an array of stealer and loader malware families, including RedLine Stealer, Vidar, Lumma Stealer, Amadey, SmokeLoader, Nymaim, GCleaner, XMRig, and Fabookie, alongside deploying Xaro.

This multifaceted approach to downloading and executing commodity malware as a common occurrence in PrivateLoader infections originating from suspicious sources. This strategy aims to gather sensitive information for double extortion and ensures attack success, even if one payload faces obstruction by security software.

Xaro exhibits versatility, initiating file encryption within the host system, accompanied by a ransom note demanding $980 for the private key and decryptor tool, reducing to $490 if paid within 72 hours. Alongside spawning Vidar infostealer instances, Xaro illustrates the complex landscape of ransomware attacks involving double extortion tactics.

The threat actors gravitate towards freeware camouflage for deploying malicious code covertly. Understanding the rapid and widespread impact on infected systems is crucial for enterprise networks aiming to safeguard themselves and their data against such sophisticated threats.

User can combat the Xaro variant by educating employee about the dangers of downloading cracked software and emphasizing the importance of utilizing official sources for software acquisition. Employ robust endpoint protection solutions with behavior-based detection mechanisms to identify and block suspicious activities. Regularly update security patches and maintain offline backups to mitigate the impact of potential ransomware attacks.