THREAT ALERT: DJvu Variant Delivered by Loader Masquerading as Freeware

Cybereason issues Threat Alerts to inform customers of emerging threats, including a recently observed DJvu variant delivered via a loader masquerading as freeware. Cybereason Threat Alerts summarize these threats and provide practical recommendations for protecting against them.

WHAT'S HAPPENING?

The Cybereason Security Services Team is investigating incidents that involve variants of the DJvu ransomware delivered via loader payloads masquerading as freeware or cracked software. 

While this attack pattern is not new, incidents involving a DJvu variant that appends the .xaro extension to affected files and demanding ransom for a decryptor have been observed infecting systems alongside a host of various commodity loaders and infostealers. This Threat Alert will provide an overview of an attack involving this variant of DJvu, which we will call Xaro for ease of reference.

Impact

The adversary’s goal is data exfiltration, information stealing, and the encryption of files in order to garner a ransom from the victim.

Attack flow diagram of the Xaro infection- threat actors host malicious payloads as freeware online. When the user downloads and runs the payload, a variety of malware (including the DJvu variant Xaro) is executed.

KEY OBSERVATIONS

• .xaro extension: The DJvu variant observed in this attack appends the .xaro extension to affected files and drops its ransom note as the file _readme.txt. Other DJvu variants appending different extensions to affected files have been observed.
• Shotgun infection: Xaro was observed deployed along with a variety of other malicious files, indicating a ‘shotgun’ approach undertaken by the threat actor. Other malware strains include various infostealers, loaders, and downloaders, suggesting that on top of ransomware execution the attacker may be interested in double extortion and further compromise of affected machines.
• Leveraging freeware: This attack illustrates the risks involved with downloading freeware from untrusted sources.

CYBEREASON RECOMMENDATIONS

The Cybereason Defense Platform can detect and prevent post-exploitation observed in attacks using DJvu variants. Cybereason recommends the following actions:

• Enable Cybereason Anti-Ransomware and set it to Prevent to ensure maximum protection against ransomware.
• In the Cybereason Defense Platform, enable Application Control to block the execution of malicious files.
• To hunt proactively, use the Investigation screen in the Cybereason Defense Platform and the queries in the Hunting Queries section to search for assets that have potentially been exploited. Based on the search results, take further remediation actions, such as isolating and re-imaging the affected machines.
• Ensure that users are educated on the risks of downloading freeware from untrusted sources or cracked software.
• Add relevant Indicators of compromise (IoCs) to your environment’s custom reputation list with the “Block & Prevent” flags.
  
  

DOWNLOAD THE FULL THREAT ALERT

This blog post is the summary of a full 16-page Threat Alert, which can be downloaded here. 

ABOUT THE RESEARCHER

Ralph Villanueva, Senior Security Analyst, Cybereason Global SOC

Ralph Villanueva is a Security Analyst with the Cybereason Global SOC team. He works hunting and combating emerging threats in the cybersecurity space. His interests include malware reverse engineering, digital forensics, and studying APTs. He earned his Masters in Network Security from Florida International University.