Ryuk has now emerged within a new guise. In brief, the new strain of Ryuk Stealer exhibits advanced properties that enable it to target government and military sectors.
Ryuk Malware Stealer Revamped
Researchers from the MalwareHunterTeam have discovered a new Ryuk Stealer malware with advanced additions. The new strain is capable of aiming at high-profile targets such as military, government, finance, and banking sectors.
Anyone remember this “Ryuk Stealer”? Just because got a new sample. Took a quick look already and found that:
– they still not removed the Ryuk references (?)
– payload (the stealer itself) still has the same icon (helpful)
– they added about 20 new keywords…
cc @VK_Intel https://t.co/LacWzA06TV— MalwareHunterTeam (@malwrhunterteam) January 24, 2020
While the earlier Ryuk Stealer malware specifically targeted Word and Excel files, the new version has more targets. According to Vitali Kremez, it now targets seven file types including more Word and Excel files (other than docx and xlsx), pdf, jpg, C++ source code, and crypto-wallets.
When the stealer detects a file with a recognized extension, it then scans it for the presence of certain keywords.
Actually, don’t trust automated tools for these things.
?
So, here are the 2 lists (yes, 2 lists) from this new sample extracted manually. Maybe some spaces are missing (or originally wrong in sample?), but couldn’t care less, so enjoy as is… pic.twitter.com/dUMZ62TmSQ— MalwareHunterTeam (@malwrhunterteam) January 24, 2020
Upon finding the desired document, it then uploads the file to the attackers’ FTP site.
As evident from the targeted words list that includes words like ‘SWIFT’, ‘IBAN’, ‘radar’, ‘tactical’, EDGAR’, ‘newswire’, ‘federal’, ‘bureau’, and ‘investigation’, the new stealer clearly aims at pilfering sensitive information from government, military, and financial institutions.
It also specifically focuses on personal information of victims. It even includes some common names, such as ‘Liam’, ‘Olivia’, ‘James’, ‘Emma’, ‘Noah’, ‘Sophia’, ‘William’, ‘Isabella’, and ‘Logan’. Interestingly, all of these names are included in the ‘Top 5 Names in Each of the Last 100 Years’ list by the US Social Security Department.
Who Is Behind The New Stealer?
Though, the identity of the threat actor(s) behind this malware isn’t clear. Vitali Kremez told Bleeping Computer that they might be the same actors who devised Ryuk.
It is likely the same actor with the access to the earlier Ryuk version who repurposed the code portion for this stealer.
Moreover, the distribution of this malware in the wild and its possible bundling with other malware/ransomware is also not clear. It was only possible to detect this stealer as Ryuk owing to the leftover artifacts.
?Same of the Ryuk & ransomware artifacts left there:
1⃣”RyukReadMe.txt”
2⃣”UNIQUE_ID_DO_NOT_REMOVE”
3⃣”readme”?It seems like the #crimeware group deploys this stealer tool post-#ransomware deployment to grab sensitive data from the host.? pic.twitter.com/9NcDTesFdv
— Vitali Kremez (@VK_Intel) January 24, 2020
Therefore, the internet users must remain extremely cautious of any phishing emails, suspicious attachments, remote connections, and should ensure keeping their systems updated to avoid potential mishaps.
