The infection begins with the user downloading the archive file install.7z from an untrusted source masquerading as a site that distributes legitimate freeware.
- Once the archive file is unlocked using Winrar, it executes the install.exe file, which further downloads the malware loader.
- While the file hash for install.exe is still unknown, sandbox analysis suggests that it is an instance of PrivateLoader.
- Upon execution, the Xaro ransomware appends the .xaro extension to encrypted files and later drops a ransom note as the file_readme.txt.
Other key observations
The goal of the attack appears to gather and exfiltrate sensitive information for double extortion.
- Researchers noted that attackers used a shotgun approach as part of the infection process to deploy ransomware. They randomly infect vulnerable machines and seek ransom from victims.
- They were communicating with C2 servers in the Russian Federation, Malaysia, and Denmark.
- This communication resulted in the downloading and execution of a variety of commodity malware, such as RedLine Stealer, Vidar, Amadey, Nymaim, XmRig, and LummaStealer, in addition to Xaro ransomware.
Threat actors are known to favor cracked or fake software as a way to covertly deploy malicious code. As the scope of such risks can be devastating, users must refrain from downloading software from untrusted sources or sites. Additionally, organizations are advised to whitelist apps or sites to stay safe.