DJVU Malware of STOP Ransomware Family Back with New Variant

In the course of our routine darkweb monitoring, the Cyble research team discovered a new variant of the DJVU malware that belongs to the STOP ransomware family. This new variant has become one of the most widespread file-encrypting viruses of 2021. 

DJVU was first identified in December 2018. In addition to attacks in the United States, most of its victims are from Europe, Asia, South American, and Africa. The DJVU malware uses Advanced Encryption Standard (AES) or RSA cryptography algorithms for encrypting files in the victim machine.  

The Cyble research team found a sample of the DJVU malware and performed the technical analysis. We have identified that the malware enters the systems of users when they download and execute malicious files masquerading as software cracks or keygens that allow users to use paid software for free by downloading from torrent. 

Technical analysis 

The payload which we have picked for analysis has a hash value of c6c76994fa516093b3bb1250efa5e5427ff5e7f9aea044692f2b080b0084d21c 

The text section of the malware sample has a high entropy value, indicating that it is packed/encrypted. The malware has been developed using the C/C++ language, and its static information is shown in figure 1. 

Figure 1 Static Information of the Sample 

The screenshot below showcases a schematic representation of the processes (Process Tree) of the malware. 

Figure 2 Output of the Malware Process Tree 

The screenshot below shows the API list, along with the anti-debugging APIs. 

Figure 3 Windows API List Used in the Malware 

The malware payload uses customized AES or RSA encryption algorithms for encrypting files and adding various extensions. In most cases, the infection by the DJVU ransomware can be instantly identified by victims because the files are added with an extension that specifies the name of the virus. The image below clearly shows that in the case of the malware sample we analysed, after encryption the files are appended with the extension “.QSCX”.  

Figure 4 Encrypted Files in the Victim Machine 

Command & Control Communication 

Once the malware enters the victim machine, it performs an infection sequence in several steps. These involve modifying the system files, changing Windows registry entries, and deleting shadow volume copies to avoid file recovery. Next, the parent executable gets installed into the LocalAppData[5] and then downloads several child files: updatewin1.exe, updatewin2.exe, and 1.exe. 

The image below showcases the process in which the malware tries to download and execute malicious payload files.  

Figure 5 Payload Delivery and Execution 

The image below shows the ransomware trying to download multiple stagers from various URLs.  

Figure 6 Malware Downloading Stagers from Various URLs  

Payload download URL: “hxxp://asvb.top/files/penelop/updatewin2[.]exe” 

Here are the evasion techniques used by the malicious dropped files.  

  • Using a PowerShell script, the malware disables the functionalities of the Windows Defender Anti-virus, such as real-time protection. 
  • The malware also prevents users from requesting security assistance from various security provider websites by changing the victim’s Windows host files. 

Once the encryption process is complete, the malware calls the C2 server with the unique ID based on the victims’ MAC address. As showcased in the image below, the C2 server then responds by providing a personal ID. The malware then generates a scheduled task called the Time Trigger Task that regularly encrypts newly added files. 

Figure 7 Personal ID of the Victim Machine Generated by the C2 Server 

The following Wireshark image depicts the post-infection communication between the victim machine and the C2 server.  

Figure 8 Communication Traffic Between the Malware and the C2 Server 

The image below illustrates the domain name with which the malware tries to communicate.  

Figure 9 Domain with which the Malware is Communicating  

The image below showcases the public key hardcoded in the payload source code.  

Figure 10 Public Key Hardcoded Within the Malware 

Ransom Note 

The malware drops a ransom note named _readme.txt in the C drive, asking for a ransom of $980/$490 in Bitcoins for the file recovery tool. The ransom note obtained from our technical analysis is shown in figure 11. 

Figure 11 Ransom Note 

Security Recommendations: 

Following are some of the security recommendations that may help avoid the attack from the DJVU ransomware variant when successfully implemented. 

  • Use the shared IoCs to monitor and block the malware infection.   
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.  
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.  
  • Conducting regular backup practices and keeping backups offline or in separated networks.  

MITRE ATT&CK® Techniques 
  

Tactic  Technique ID  Technique Name  
Defense Evasion  T1027  T1202  T1562.001    1. Obfuscated Files or Information  2. Indirect Command Execution  3. Impair Defences: Disable or Modify Tools    
Initial access  T1078  1. Valid Accounts    
Discovery  T1120  T1082  1. Peripheral Device Discovery  2. System Information Discovery  
Impact  T1486  T1490  1. Data Encrypted for Impact  2. Inhibit System Recovery  

Indicators of Compromise (IoCs):  

SHA256 
955d3a37079121cee3f5455349c3edebe843668dfe1a0bd20602d3a6e15b3c20 
480558a688a4f9a32e95a98fbb5db32fb18ab77917a20b97c15052cda1e76658 
92a8da9880227a443742464a076cbb19668149454b5ef986ff0fdc3c436af245 
1c50afaba4d40f2ee163cbdfeebea0e4cc07751c54b7660524b9b9530866af19 
9e5717bedcd46ccdadfc0796834f62ca0769b86b26ee58a8eda27e4a2cfbb20f 
fd2f84ccf7fd45fb3cd369617e269649735e5b9c0332ff729dd4fd4862af4466 
a8f64b8c29d1f5aca8548a8767c90e58887dce397702ec1f9cf678b3f13a0b5e 
cbc8c53b7e19241457a0d54139406edbe7e778f59c079d7d7cc39e44b83131e9 
c6c76994fa516093b3bb1250efa5e5427ff5e7f9aea044692f2b080b0084d21c 
f32903a5171c64d7cb930258df364dd7c16b7417736b7bd4c12285938b6324ea 
f3e15a3d8bca4900653cec63446dc1b831622514479494cf3fea110b76e1e03b 
69642c0265410313e3199502bb7766ee8a4369a3747b2a823a896f6cf2ed8cb9 
0fbc5d24e63e23fb5ca4d84b8219f51e78a8e02084b454e9c4712d9e7364fc3a 
0ce120e71b9776c6057577f2e491dbd785759439350c159e18a05260567e3dcf 
f05349da03923bfcfe2c8411429c5f2b022dc7ca40960ad66c1527818039ce74 
406852258a93af650ebe04ae214e1bf533527dcf0b2d4127e3ebc0342bfac86b 
a8179df80d8b09d292559366fa3883b27b9ab84181292a065a869a93b7d1cb92 
a1296c1e2296049eb3a3dc3fcf174fe91471e0ec0a0c1a753d6103e7a070429f 
849a3e76731c918716b6014d8a8d4863996d45eddc5b13b16420ebb106b3cd28 
f399f62a06d015a0d54c4692e86e93fe0787d67f8de30b2dc09c30fc4f172e2b 
f3135a9b5ffcd2f7abe4d9ad51a3deb7a4c7493e6a9e24a54820894c8b7ed500 
5f518816a424635601a46f3fb10db422b12cbd30e2884b62303514267929e799 
URLs 
hxxp://asvb.top/files/penelop/5.exe 
hxxp://asvb.top/nddddhsspen6/get.php?pid=657CFB2A6AB1CE9ADA6298A3725A7C1E 
hxxp://asvb.top/files/penelop/updatewin.exe 
hxxp://asvb.top/nddddhsspen6/get.php?pid=76C22FD2EA11F0E9961EF5C6D4B2240F&first=true 
hxxp://asvb.top/files/penelop/updatewin2.exe 
hxxp://asvb.top/files/penelop/3.exe 
hxxp://asvb.top/nddddhsspen6/get.php?pid=F7E0EF544C5C35BFCBAE00FDCB4667E1&first=true 
hxxps://api.2ip.ua/geo.json 
hxxp://asvb.top/files/penelop/updatewin1.exe 
hxxps://api.2ip.ua:80/geo.json 
hxxp://asvb.top/files/penelop/4.exe 

About Cyble 

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com. 

Leave a Comment

Your email address will not be published.

%d bloggers like this: