Cybereason reports new TTPs identified in a new variant—dubbed "Xaro"—of the DJVU ransomware, including:
Leveraging compromised freeware available on the internet, in a manner similar to a typical watering-hole attack; the victim would go to download the weaponized file and inadvertently pave the way for ransomware infection. Nonetheless, by choosing which freeware to compromise, cybercriminals may project a certain agenda in targeting a specific group of users, e.g., based on professional and/or expected behavioral indicators.
The infection chain begins with a loader—frequently Smokeloader, which has recently been used to load the Phobos ransomware by the 8base group.
The loader performs a twofold action; on the one hand, it loads information stealers such as RedLine and LummaC2, among others, and on the other hand, loads the .xaro file containing the ransomware payload alongside the TXT ransom note. This approach enables the extension of damage for the user whose data is breached and encrypted simultaneously.