Free Software Turns Malicious: New DJVU Variant Emerges

Security researchers at Cybereason have identified a new variant of the ransomware “DJVU,” masquerading as free software.

According to security expert Ralph Villanueva, perpetrators employ a well-known attack scheme, but this time, it involves a DJVU variant that appends the “.xaro” extension to encrypted files, hence the malware’s moniker “Xaro.”

The DJVU program itself is a variant of the STOP ransomware, often bundled with info stealers like RedLine Stealer and Vidar, rendering DJVU attacks particularly devastating.

Image: Cybereason

In the latest recorded attack, a malicious archive was disguised as a site offering freely distributed software. Initiating the file led to the installation of PrivateLoader—a malware downloader connecting to the attackers’ C2 server, subsequently downloading RedLine Stealer, Vidar, XMRig, and other malicious programs.

Researchers point out that the primary goal of the attackers is to harvest confidential data and extort money. The Xaro malware is mainly targeted at individual users rather than organizations, evident by the ransom amount—$980, reduced to $490 if paid within 72 hours, akin to traffic fines.

However, this ransomware also poses a real threat to corporate networks due to its rapid spread and scale on infected machines, leaving little chance for data preservation.

Attackers often use the guise of free software to stealthily install malicious code, hence the need for heightened vigilance when downloading such programs.

It is always advisable to meticulously verify the legitimacy of sites offering necessary software and to employ reliable antivirus solutions that can intercept threats when needed. Regular software updates and backing up information significantly increase the chances of escaping with just a scare.