DJVU Ransomware’s Latest Variant ‘Xaro’ Disguised as Cracked Software

A variant of a ransomware strain known as DJVU has been observed to be distributed in the form of cracked software.

“While this attack pattern is not new, incidents involving a DJVU variant that appends the .xaro extension to affected files and demanding ransom for a decryptor have been observed infecting systems alongside a host of various commodity loaders and infostealers,” Cybereason security researcher Ralph Villanueva said.

The new variant has been codenamed Xaro by the American cybersecurity firm.

DJVU, in itself a variant of the STOP ransomware, typically arrives on the scene masquerading as legitimate services or applications. It’s also delivered as a payload of SmokeLoader.

A significant aspect of DJVU attacks is the deployment of additional malware, such as information stealers (e.g., RedLine Stealer and Vidar), making them more damaging in nature.

In the latest attack chain documented by Cybereason, Xaro is propagated as an archive file from a dubious source that masquerades as a site offering legitimate freeware.

Opening the archive file leads to the execution of a supposed installer binary for a PDF writing software called CutePDF that, in reality, is a pay-per-install malware downloader service known as PrivateLoader.

PrivateLoader, for its part, establishes contact with a command-and-control (C2) server to fetch a wide range of stealer and loader malware families like RedLine Stealer, Vidar, Lumma Stealer, Amadey, SmokeLoader, Nymaim, GCleaner, XMRig, and Fabookie, in addition to dropping Xaro.

“This shotgun-approach to the download and execution of commodity malware is commonly observed in PrivateLoader infections originating from suspicious freeware or cracked software sites,” Villanueva explained.

The goal appears to be to gather and exfiltrate sensitive information for double extortion as well as ensure the success of the attack even if one of the payloads gets blocked by security software.

Xaro, besides spawning an instance of the Vidar infostealer, is capable of encrypting files in the infected host, before dropping a ransom note, urging the victim to get in touch with the threat actor to pay $980 for the private key and the decryptor tool, a price that drops by 50% to $490 if approached within 72 hours.

If anything, the activity illustrates the risks involved with downloading freeware from untrusted sources. Last month, Sucuri detailed another campaign called FakeUpdateRU wherein visitors to compromised websites are served bogus browser update notices to deliver RedLine Stealer.

“Threat actors are known to favor freeware masquerading as a way to covertly deploy malicious code,” Villanueva said. “The speed and breadth of impact on infected machines should be carefully understood by enterprise networks looking to defend themselves and their data.”