DJvu Ransomware Mimic as Freeware to Compromise Computers | #ransomware | #cybercrime

A recent campaign has been observed to be delivering DJvu ransomware through a loader that pretends to be freeware or cracked software. This ransomware has been previously reported to provide a .xaro extension to infected files, and threat actors demand a ransom for decrypting those files.

The main goals of this ransomware are data exfiltration, stealing information, and ransom demand. This malware uses a Shotgun approach and is found to be deployed with a variety of other malicious files.


Protect Your Storage With SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

DJvu Ransomware Infection

The threat actors distributed malicious .7z archive files for the initial access vector with an untrusted website masquerading as a legitimate freeware distribution site. When the victims download the malicious install.7z archive file and extract it, it consists of an install.exe file.

This file is a large binary-packed file with a size of about ~0.7 GB. Further analysis of this file revealed that this was a PrivateLoader first observed in 2021.

If victims execute the install.exe file, it downloads several additional malware like Redline Stealer (infostealer), Vidar (infostealer), Amadey (botnet), Nymaim (downloader), GCleaner(loader), XmRig(Crytominer), Fabookie (Facebook infostealer) and LummaC Stealer (MaaS platform acting as an infostealer).

In addition to this, the Xaro payload was found to be running on the compromised machine within three minutes of the install.exe execution. There were two observed flows of the execution and termination of the Xaro payload.

First Flow & Second Flow

The first flow uses a process name with a four-character long alphanumeric string, such as 5r64.exe, and injects itself a code by creating a child process of itself. This child process creates a registry at the location \software\microsoft\windows\currentversion\run\syshelper. 

The second flow was similar to the first but used certain bypass security measures. The child process in this flow connects to a C2 server api.2ip[.]ua. In addition to this, it also encrypts files in the C:\Users\User directory on the compromised machines.

Furthermore, a complete report about this ransomware variant has been published by CyberReason, which provides detailed information about the execution process, payloads used, source code, and other information.

Indicators of Compromise

Type Value Comment
SHA-256 10ef30b7c8b32a4c91d6f6fee738e39dc02233d71ecf4857bec6e70520d0f5c1 install.exe
SHA-256 83546201db335f52721ed313b9078de267eaf1c5d58168b99e35b2836bf4f0fc Xaro payload
SHA-256 3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4 Build2.exe
SHA-256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 Build3.exe
Domain api.2ip[.]ua Xaro C2 Server
Domain colisumy[.]com Xaro C2 Server
Domain zexeq[.]com Xaro C2 Server
Task Name Azure-Update-Task Scheduled Task
Task Name Time Trigger Task Scheduled task used to rerun Xaro
Registry software\microsoft\windows\currentversion\run\syshelper Registry entry used by Xaro for persistence

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Source link

National Cyber Security