Cybersecurity researchers at Cybereason have uncovered that one of the latest variants of the notorious DJVU ransomware, dubbed Xaro, is utilizing cracked software as its distribution vector. It is worth noting that this is not the first case of DJVU also known as STOP Ransomware using cracked software to deliver itself to victims.
The Xaro ransomware takes advantage of unsuspecting victims by disguising itself within seemingly harmless archive files sourced from dubious platforms masquerading as legitimate freeware providers. The deceptive tactic involves posing as a site offering freeware, luring users into downloading what appears to be a benign installer for CutePDF, a popular PDF writing software.
PrivateLoader Used in the Campaign
Upon opening the archive, the supposed CutePDF installer triggers the activation of PrivateLoader, a pay-per-install malware downloader service. PrivateLoader establishes a connection with a command-and-control server, initiating the download of a variety of malware families, including notorious information stealers like RedLine Stealer and Vidar, as well as potent loaders such as SmokeLoader and Nymaim.
A distinctive characteristic of this attack is its “shotgun approach,” wherein multiple malware strains are deployed simultaneously. This strategic tactic ensures the attack’s success, even if one payload is detected and blocked by conventional security measures. The diverse range of malware families, each with unique capabilities, underscores the complexity of the threat landscape.
True to its ransomware nature, Xaro not only encrypts files within the infected host but also deploys an instance of the Vidar infostealer. This dual-threat approach aims to maximize the impact on targeted systems, combining file encryption for extortion purposes with information theft for potential double extortion scenarios.
Upon encrypting files, Xaro issues a ransom note, demanding a payment of $980 for the private key and decryptor tool. Notably, this ransom amount is halved to $490 if the victim contacts the threat actor within 72 hours, adding a sense of urgency to the extortion attempt.
The Risks of Freeware from Untrusted Sources
This attack chain serves as a stark reminder of the risks associated with downloading freeware from untrusted sources. While threat actors increasingly favor freeware as a covert delivery method for malicious code, users and enterprises alike must be on the lookout and adopt stringent cybersecurity measures to defend against evolving ransomware strategies.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: