A new variant of the well-known DJVU ransomware is being distributed through cracked software, raising fresh concerns within the cybersecurity community. This particular variant appends the .xaro extension to files, prompting affected users to pay a ransom for decryption capabilities. According to Cybereason security researcher Ralph Villanueva, the behavior is not novel; however, the recent incidents highlight a troubling trend of this DJVU variant accompanying a range of common loaders and information stealers.
This variant has been designated as Xaro by the American cybersecurity firm and is propagated under the guise of legitimate applications. DJVU generally operates under the pretense of trusted services and commonly arrives bundled with malware like SmokeLoader. The deployment method leverages dubious archive files posing as downloads from sites that claim to offer free software.
The attack chain documented by Cybereason reveals that opening these deceptive archive files executes what appears to be an installer for a PDF writing application, CutePDF. In reality, this binary acts as a pay-per-install malware downloader powered by PrivateLoader, which links to a command-and-control (C2) server.
PrivateLoader is notorious for disseminating a diverse array of malware families, including RedLine Stealer, Vidar, and SmokeLoader, in addition to the Xaro ransomware. This strategy of deploying multiple malware types simultaneously is characteristic of PrivateLoader infections, particularly those stemming from untrustworthy freeware or cracked software sources. Villanueva noted that this method serves to gather and exfiltrate sensitive information while also ensuring attack success, even if one of the payloads is blocked by security software.
Once unleashed, the Xaro variant not only encrypts files on the host but also drops a ransom note instructing victims to pay $980 for the decryption key and software. Interestingly, an early payment incentive reduces this fee to $490 within a 72-hour window.
This incident underscores the inherent risks of downloading software from unverified sources. In a related campaign, security firm Sucuri recently reported a scheme called FakeUpdateRU, where compromised sites display fraudulent browser update notifications to distribute malware like RedLine Stealer. This mirrors the tactics observed with Xaro, which exploits the allure of free software to facilitate its malicious payload.
Villanueva emphasized that threat actors often prefer freeware as a covert means to distribute malicious code. The swift and broad impact of such attacks on infected systems should compel enterprise networks to adopt vigilant cybersecurity practices. Organizations must recognize the potential tactics outlined in the MITRE ATT&CK framework—particularly initial access and persistence—and take proactive measures to bolster their defenses against threats like the Xaro variant.
