Threat Research

DJVU: The Ransomware That Seems Strangely Familiar…

Securonix

DJVU ransomware masquerades as legitimate software or decoy files and often partners with other threats to download information stealers for data exfiltration. It evolved from STOP ransomware, adding obfuscation and a highly flexible infection chain that includes GeoIP checks, privilege escalation, and encryption. #DJVU #RedLine

Keypoints

  • DJVU is a variant of STOP ransomware that now sometimes deploys information stealers (e.g., Vidar/Redline) through partnerships to enhance data theft.
  • Infection vectors are flexible and often rely on masquerading as legitimate downloads, cracked software, or decoy files on file-hosting/torrent sites.
  • The malware uses multiple obfuscation layers, including TEA-based shellcode and XOR, plus process hollowing to inject the payload into another process.
  • A GeoIP lookup determines victim location; if the country matches CIS nations, the payload does not execute.
  • Persistence and privilege escalation are achieved via a randomly generated AppDataLocal folder, icacls protections, a Run registry key, admin elevation, and a scheduled task.
  • DJVU communicates with a C2 using a MAC address-derived MD5 hash (offline/online IDs), stores responses in local files, and may drop additional malware from external domains.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – DJVU begins its execution chain with several layers of obfuscation meant to slow down analysis… “The first shellcode stage is encrypted using the Tiny Encryption Algorithm (TEA).”
  • [T1055] Process Injection – “The second stage of shellcode then starts a new process using the same binary. It uses process hollowing to inject the unobfuscated copy of the malware into the new process.”
  • [T1082] System Information Discovery – “The threat’s malicious activity begins in earnest by finding out where the victim’s device is located. It does this by checking the device location via a GeoIP lookup service at the following URL: ‘hxxps[:]//api[.]2ip[.]ua/geo[.]json’.”
  • [T1053.005] Scheduled Task – “The malware creates persistence via a scheduled task using the ITaskService interface of the TaskScheduler COM object.”
  • [T1112] Modify Registry – “The malware creates persistence via a registry Run key called ‘SysHelper’ in the following registry path: ‘HKEY_Current_UserSoftwareMicrosoftWindowsCurrentVersionRun’.”
  • [T1548.001] Abuse Elevation: UAC – “ShellExecute APIs with the ‘runas’ verb to attempt to start itself again with Admin privileges. Depending on the victim’s device settings, this might display a User Account Control (UAC) dialog box…”
  • [T1071.001] Web Protocols – “The payload then runs in an elevated state, with the arguments… The malware then uses a MAC address MD5 to connect to a malicious command-and-control (C2) using the following URL: hxxps[:]//acacaca[.]org/d/test1/get.php?pid={MAC Address_MD5}&first=true”

Indicators of Compromise

  • [URL] Malicious URLs – hxxp://116.202.180.202/8069076584.zip, hxxp://acacaca.org/test1/get.php?pid=53B1E5DA52C0B1B73B57A5129A43BC5D&first=true
  • [Domain] Domains – acacaca.org, rgyui.top
  • [IP Address] IP addresses – 116.202.180.202
  • [Email] Email Addresses – Support[at]bestyourmail[.]ch, Datarestorehelp[at]airmail[.]cc
  • [PDB Path] PDB Paths – e:docmy work (c++)_gitencryptionreleaseencrypt_win_api.pdb, C:renobi11_senuxisecituxacoxuzeflayesarelimefuzazokusuf.pdb
  • [SHA256] Hashes – db41e055496b7eb3dfed7bc50a2afe8636c742a1d0963489569134d9e95aa1fc, 5fc8f1eddeb98d127899c15663275da4a30b734e0c812ea4ca24fc99023329da, and 1 more hash
  • [Mutex] Mutexes – {1D6FC66E–D1F3–422C–8A53–C0BBCF3D900D}, {FBB4BCC6–05C7–4ADD–B67B–A98A697323C1}
  • [File Name] File Names – readme.txt, Bowsakkdestx.txt
  • [File Extension] Excluded Extensions – .sys, .ini, and other N items

Read more: https://blogs.blackberry.com/en/2022/09/djvu-the-ransomware-that-seems-strangely-familiar