Pierluigi Paganini January 27, 2020

A new piece of the Ryuk malware has been improved to steal confidential files related to the military, government, financial statements, and banking.

Security experts from MalwareHunterTeam have discovered a new version of the Ryuk Stealer malware that has been enhanced to allow its operators to steal a greater amount of confidential files related to the military, government, financial statements, and banking.

In September 2019, BleepingComputer reported the discovery of a new piece of malware that included references to the Ryuk Ransomware and that was used to steal files with filenames matching certain keywords.

It is not clear if the malware was developed by the threat actors behind Ryuk Ransomware for data exfiltration.

“It is likely the same actor with the access to the earlier Ryuk version who repurposed the code portion for this stealer,” explained the popular malware researcher Vitali Kremez.

“What we do know is that the malware is targeting very specific keywords that could be disastrous for governments, military operations, and law enforcement cases if the stolen files are exposed.” reported BleepingComputer.

The new variant of the Ryuk Stealer malware implements a new file content scanning feature and is able to search for additional keywords in the filenames for data exfiltration.

The variant of the Ryuk Stealer recently discovered is able to look for C++ code files (i.e. .cpp), further Word and Excel document types, PDFs, JPG image files, and also files associated with cryptocurrency wallets.

The scanning module first checks if the files on the systems have one of the above extensions, then it will check the contents of the files to verify the presence of one of the following keywords.

'personal', 'securityN-CSR10-SBEDGAR', 'spy', 'radar', 'agent', 'newswire', 'marketwired', '10-Q', 'fraud', 'hack', 'defence', 'treason', 'censored', 'bribery', 'contraband', 'operation', 'attack', 'military', 'tank', 'convict', 'scheme', 'tactical', 'Engeneering', 'explosive', 'drug', 'traitor', 'suspect', 'cyber', 'document', 'embeddedspy', 'radio', 'submarine', 'restricted', 'secret', 'balance', 'statement', 'checking', 'saving', 'routing', 'finance', 'agreement', 'SWIFT', 'IBAN', 'license', 'Compilation', 'report', 'secret', 'confident', 'hidden', 'clandestine', 'illegal', 'compromate', 'privacy', 'private', 'contract', 'concealed', 'backdoorundercover', 'clandestine', 'investigation', 'federal', 'bureau', 'government', 'security', 'unclassified', seed', 'personal', 'confident', 'mail', 'letter', 'passport', 'victim', 'court', 'NATO', 'Nato', 'scans', 'Emma', 'Liam', 'Olivia', 'Noah', 'William', 'Isabella', 'James', 'Sophia', 'Logan', 'Clearance'

In addition, the stealer will also check the presence of one of other 55 keywords in the filenames.

Once the document has passed the checks, it will be uploaded to an FTP site, experts pointed out that the code of the Ryuk stealer includes two FTP sites. At the time of the analysis, both sites were not reachable at the time of the analysis.

Targeted keywords in the new variant of the Ryuk stealer confirm that attackers are looking for confidential information in military, banking, finance and law enforcement.

Another aspect to consider is that operators behind ransomware are also interested in stealing sensitive data from their victims and use them to blackmail victims and force them to pay the ransom like the Maze ransomware gang does.

Pierluigi Paganini

(SecurityAffairs – Ryuk stealer, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]