In the course of our routine darkweb monitoring, the Cyble research team discovered a new variant of the DJVU malware that belongs to the STOP ransomware family. This new variant has become one of the most widespread file-encrypting viruses of 2021.
DJVU was first identified in December 2018. In addition to attacks in the United States, most of its victims are from Europe, Asia, South American, and Africa. The DJVU malware uses Advanced Encryption Standard (AES) or RSA cryptography algorithms for encrypting files in the victim machine.
The Cyble research team found a sample of the DJVU malware and performed the technical analysis. We have identified that the malware enters the systems of users when they download and execute malicious files masquerading as software cracks or keygens that allow users to use paid software for free by downloading from torrent.
The payload which we have picked for analysis has a hash value of c6c76994fa516093b3bb1250efa5e5427ff5e7f9aea044692f2b080b0084d21c
The text section of the malware sample has a high entropy value, indicating that it is packed/encrypted. The malware has been developed using the C/C++ language, and its static information is shown in figure 1.
Figure 1 Static Information of the Sample
The screenshot below showcases a schematic representation of the processes (Process Tree) of the malware.
Figure 2 Output of the Malware Process Tree
The screenshot below shows the API list, along with the anti-debugging APIs.
Figure 3 Windows API List Used in the Malware
The malware payload uses customized AES or RSA encryption algorithms for encrypting files and adding various extensions. In most cases, the infection by the DJVU ransomware can be instantly identified by victims because the files are added with an extension that specifies the name of the virus. The image below clearly shows that in the case of the malware sample we analysed, after encryption the files are appended with the extension “.QSCX”.
Figure 4 Encrypted Files in the Victim Machine
Command & Control Communication
Once the malware enters the victim machine, it performs an infection sequence in several steps. These involve modifying the system files, changing Windows registry entries, and deleting shadow volume copies to avoid file recovery. Next, the parent executable gets installed into the LocalAppData and then downloads several child files: updatewin1.exe, updatewin2.exe, and 1.exe.
The image below showcases the process in which the malware tries to download and execute malicious payload files.
Figure 5 Payload Delivery and Execution
The image below shows the ransomware trying to download multiple stagers from various URLs.
Figure 6 Malware Downloading Stagers from Various URLs
Payload download URL: “hxxp://asvb.top/files/penelop/updatewin2[.]exe”
Here are the evasion techniques used by the malicious dropped files.
- Using a PowerShell script, the malware disables the functionalities of the Windows Defender Anti-virus, such as real-time protection.
- The malware also prevents users from requesting security assistance from various security provider websites by changing the victim’s Windows host files.
Once the encryption process is complete, the malware calls the C2 server with the unique ID based on the victims’ MAC address. As showcased in the image below, the C2 server then responds by providing a personal ID. The malware then generates a scheduled task called the Time Trigger Task that regularly encrypts newly added files.
Figure 7 Personal ID of the Victim Machine Generated by the C2 Server
The following Wireshark image depicts the post-infection communication between the victim machine and the C2 server.
Figure 8 Communication Traffic Between the Malware and the C2 Server
The image below illustrates the domain name with which the malware tries to communicate.
Figure 9 Domain with which the Malware is Communicating
The image below showcases the public key hardcoded in the payload source code.
Figure 10 Public Key Hardcoded Within the Malware
The malware drops a ransom note named _readme.txt in the C drive, asking for a ransom of $980/$490 in Bitcoins for the file recovery tool. The ransom note obtained from our technical analysis is shown in figure 11.
Figure 11 Ransom Note
Following are some of the security recommendations that may help avoid the attack from the DJVU ransomware variant when successfully implemented.
- Use the shared IoCs to monitor and block the malware infection.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Conducting regular backup practices and keeping backups offline or in separated networks.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Defense Evasion||T1027 T1202 T1562.001||1. Obfuscated Files or Information 2. Indirect Command Execution 3. Impair Defences: Disable or Modify Tools|
|Initial access||T1078||1. Valid Accounts|
|Discovery||T1120 T1082||1. Peripheral Device Discovery 2. System Information Discovery|
|Impact||T1486 T1490||1. Data Encrypted for Impact 2. Inhibit System Recovery|
Indicators of Compromise (IoCs):
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.