HQ/EMEAFind out how we can help your business
The notorious DJVU ransomware’s new Xaro variant severely threatens unsuspecting users globally. Based on reports, this variant disguises itself as cracked software and wreaks havoc on compromised systems.
Researchers explained that the Xaro variant operates by appending the [.]xaro extension to affected files. The ransomware operators use this technique to hold them hostage unless their victims comply with their demands in exchange for a decryptor.
The ransomware developers use an elaborate attack sequence to propagate the Xaro variant.
According to investigations, the ransomware actors distribute the Xaro variant through an elaborate attack chain. They disguise this malware as cracked software and propagate an archive file from a malicious source, posing as a site offering legitimate freeware.
Unsuspecting users who open this archive unintentionally trigger the execution of what appears to be an installer binary for a PDF writing software called CutePDF. This installer is a pay-per-install malware downloader service known as PrivateLoader.
This tool is a significant step in releasing Xaro since it could employ a shotgun approach to download and execute commodity malware. PrivateLoader commonly uses this tactic to execute infections originating from suspicious freeware or cracked software sites.
However, Xaro has two primary objectives: to gather sensitive information for double extortion and to ensure the attack’s success even if security software manages to block one of the payloads.
Furthermore, the Xara campaign could also deploy an instance of the Vidar infostealer, leading to Xaro encrypting files on the infected host and leaving victims with a ransom note. The note demands a payment of $980 for the private key and the decryptor tool, with a deadline offer of a 50% reduction to $490 if the victim complies within 72 hours.
This newly uncovered malicious activity has inherent risks since careless users could download the malware from untrusted sources. In a related campaign, FakeUpdateRU operators compromised websites and delivered fake browser update notices, luring unsuspecting visitors into a trap that unleashed the RedLine Stealer.
These new campaigns are examples of the growing trends of fake downloads to infect unknowing users. Hence, everyone should be cautious and vigilant before downloading any software from untrusted sources. The emergence of Xaro should concern users to be critical of any files they want to acquire on the internet for free.
