Request a Demo
Rewterz
Rewterz Threat Alert – SmokeLoader Malware – Active IOCs
December 6, 2021
Rewterz
Rewterz Threat Alert – Dridex Banking Trojan – Active IOCs
December 6, 2021

Rewterz Threat Alert – DJVU Ransomware – Active IOCs

Severity

High

Analysis Summary

DJVU was one of the most active and widespread versions of ransomware in 2019. DJVU was first used aggressively in campaigns in 2019, even though it had been around for about a year. Continuously changing its extensions and payloads has helped it evade detection. Its encryption techniques also continue to improve. Earlier versions of the malware, where the key was not generated by its command and control servers, were easier to recover the files. In current versions, decryption is more difficult. Delivery of the malware has been through cracked programs, keygens, activators, fake setup programs, and fake Windows updates. To avoid infecting victims in specific countries, DJVU did not use local information, such as keyboard layouts and timezone settings, but rather it uses the information returned by a request sent to https[:]//api.2ip.ua/geo.json. Persistence is achieved through a scheduled task. The MAC address of the ethernet card is used as the basis of a unique identifier for the system. This identifier is sent to DJVU’s command and control server when then returns an RSA-2048 public key to be used in the encryption. Additional malware is then downloaded and installed, including an information stealer called Vidar.

Impact

  • Information Theft
  • File Encryption

Indicators of Compromise

MD5

  • 3a4e7b7039dd82e7e0afef515e75bc41
  • 50ec88332f353ada8cc10ce5384f5fa4
  • c102c1a1fb826ca65193e26a0c3dce8e

SHA-256

454fb0f85224fed3066a923a728d75663e393f4a4aded1258fc13c837df923cc
f6a08429cbd561027170022beb3bd6909c382cbcd31fba78c3f099cb4a5a44f8
bca9202c0a7797a53a044821c5b5a372e770afe6bb8c830689159a0014aaabfe

SHA-1

  • 454fb0f85224fed3066a923a728d75663e393f4a4aded1258fc13c837df923cc
  • f6a08429cbd561027170022beb3bd6909c382cbcd31fba78c3f099cb4a5a44f8
  • bca9202c0a7797a53a044821c5b5a372e770afe6bb8c830689159a0014aaabfe

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.