A new piece of the Ryuk malware has been improved to steal confidential files related to the military, government, financial statements, and banking.

Security experts from MalwareHunterTeam have discovered a new version of the Ryuk Stealer malware that has been enhanced to allow its operators to steal a greater amount of confidential files related to the military, government, financial statements, and banking.

Anyone remember this "Ryuk Stealer"? Just because got a new sample. Took a quick look already and found that:

– they still not removed the Ryuk references (😂)

– payload (the stealer itself) still has the same icon (helpful)

– they added about 20 new keywords…

cc @VK_Intel https://t.co/LacWzA06TV — MalwareHunterTeam (@malwrhunterteam) January 24, 2020

In September 2019, BleepingComputer reported the discovery of a new piece of malware that included references to the Ryuk Ransomware and that was used to steal files with filenames matching certain keywords.

It is not clear if the malware was developed by the threat actors behind Ryuk Ransomware for data exfiltration .

“It is likely the same actor with the access to the earlier Ryuk version who repurposed the code p ortion for this stealer,” explained the p opular malware researcher Vitali Kremez.

“What we do know is that the malware is targeting very specific keywords that could be disastrous for governments, military operations, and law enforcement cases if the stolen files are exposed.” reported BleepingComputer.

The new variant of the Ryuk Stealer malware implements a new file content scanning feature and is able to search for additional keywords in the filenames for data exfiltration .

Source BleepingComputer

The variant of the Ryuk Stealer recently discovered is able to look for C++ code files (i.e. .cpp), further Word and Excel document types, PDFs, JPG image files, and also files associated with cryptocurrency wallets.

The scanning module first check s if the files on the systems have one of the above extensions, then it will check the contents of the files to verify the presence of one of the following keywords.

'personal', 'securityN-CSR10-SBEDGAR', 'spy', 'radar', 'agent', 'newswire', 'marketwired', '10-Q', 'fraud', 'hack', 'defence', 'treason', 'censored', 'bribery', 'contraband', 'operation', 'attack', 'military', 'tank', 'convict', 'scheme', 'tactical', 'Engeneering', 'explosive', 'drug', 'traitor', 'suspect', 'cyber', 'document', 'embeddedspy', 'radio', 'submarine', 'restricted', 'secret', 'balance', 'statement', 'checking', 'saving', 'routing', 'finance', 'agreement', 'SWIFT', 'IBAN', 'license', 'Compilation', 'report', 'secret', 'confident', 'hidden', 'clandestine', 'illegal', 'compromate', 'privacy', 'private', 'contract', 'concealed', 'backdoorundercover', 'clandestine', 'investigation', 'federal', 'bureau', 'government', 'security', 'unclassified', seed', 'personal', 'confident', 'mail', 'letter', 'passport', 'victim', 'court', 'NATO', 'Nato', 'scans', 'Emma', 'Liam', 'Olivia', 'Noah', 'William', 'Isabella', 'James', 'Sophia', 'Logan', 'Clearance'

In addition, the stealer will also check the presence of one of other 55 keywords in the filenames.

Once the document has passed the checks, it will be uploaded to an FTP site, experts pointed out that the code of the Ryuk stealer includes two FTP sites. At the time of the analysis, both sites were not reachable at the time of the analysis.

Targeted keywords in the new variant of the Ryuk stealer confirm that attackers are looking for confidential information in military, banking, finance and law enforcement.

Another aspect to consider is that operators behind ransomware are also interested in stealing sensitive data from their victims and use them to blackmail victims and force them to pay the ransom like the Maze ransomware gang does.

Pierluigi Paganini

(SecurityAffairs – Ryuk stealer, hacking)