A recent campaign has been observed to be delivering DJvu ransomware through a loader that pretends to be freeware or cracked software. This ransomware has been previously reported to provide a.xaro extension to infected files, and threat actors demand a ransom for decrypting those files. The main goals of this ransomware are data exfiltration, stealing information, and ransom demand. This malware uses a Shotgun approach and is found to be deployed with a variety of other malicious files. StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices. 7z archive files for the initial access vector with an untrusted website masquerading as a legitimate freeware distribution site. 7z archive file and extract it, it consists of an install. This file is a large binary-packed file with a size of about ~0.7 GB. Further analysis of this file revealed that this was a PrivateLoader first observed in 2021. Exe file, it downloads several additional malware like Redline Stealer, Vidar, Amadey, Nymaim, GCleaner(loader), XmRig(Crytominer), Fabookie and LummaC Stealer. In addition to this, the Xaro payload was found to be running on the compromised machine within three minutes of the install. There were two observed flows of the execution and termination of the Xaro payload. The first flow uses a process name with a four-character long alphanumeric string, such as 5r64.exe, and injects itself a code by creating a child process of itself. This child process creates a registry at the location softwaremicrosoftwindowscurrentversionrunsyshelper. The second flow was similar to the first but used certain bypass security measures. The child process in this flow connects to a C2 server api.2ip[.]ua. In addition to this, it also encrypts files in the C:UsersUser directory on the compromised machines. A complete report about this ransomware variant has been published by CyberReason, which provides detailed information about the execution process, payloads used, source code, and other information. Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 30 Nov 2023 21:55:08 +0000