New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Ryuk Stealer Updated to Target More Files

Twitter user @malwrhunterteam recently discovered an updated version of the “Ryuk Stealer” malware. Ryuk Stealer automatically searches for and steals files from infected computers. It is thought to be related to Ryuk ransomware because it shares some code similarities, but it is not clear whether it is used by the same threat actors. The update is fairly straightforward; it looks for a few additional file types and keywords in filenames to decide which files to exfiltrate. Ryuk Stealer currently sends stolen files to two FTP servers identified within the binary. Both FTP servers are currently down. The keywords being used imply that Ryuk Stealer is looking for banking, finance, law enforcement, and military documents with a few personal keywords as well. The full list of file extensions and keywords used can be found below.

File Types:

.cpp, .h, .xls, .xlsx, .doc, .docx, .pdf, wallet.dat, .jpg

If files with the above extensions are found, Ryuk Stealer will check the contents of the file to see if any of the following words are found:

personal, securityN-CSR10-SBEDGAR, spy, radar, agent, newswire, marketwired, 10-Q, fraud, hack, defence, treason, censored, bribery, contraband, operation, attack, military, tank, convict, scheme, tactical, Engeneering, explosive, drug, traitor, suspect, cyber, document, embeddedspy, radio, submarine, restricted, secret, balance, statement, checking, saving, routing, finance, agreement, SWIFT, IBAN, license, Compilation, report, secret, confident, hidden, clandestine, illegal, compromate, privacy, private, contract, concealed, backdoorundercover, clandestine, investigation, federal, bureau, government, security, unclassified, seed, personal, confident, mail, letter, passport, victim, court, NATO, Nato, scans, Emma, Liam, Olivia, Noah, William, Isabella, James, Sophia, Logan, Clearance

The malware will also steal files if the filename contains any of the following keywords:

SECURITY, N-CSR, 10-SB, EDGAR,  spy , radar, censored, agent, newswire, marketwired, 10-Q, fraud, hack, NATO, Nato, convictMilitary, military, submarine, Submarinesecret, Secret, scheme, tactical, Engeneering, explosive, drug, traitor, embeddedspy, radio, suspect, cyber, document, treasonrestricted, private, confident, important, pass, victim, court, hidden, bribery, contraband, operation, undercover, clandestine, investigation, federal, bureau, government, security, unclassified, concealed, newswire, marketwired, Clearance

Analyst Notes

Always keep anti-virus solutions up to date. When deploying security solutions for the enterprise, consider using an EDR (endpoint detection and response) solution side-by-side with AV products. Using an EDR solution or an MDR (managed detection and response) can help spot threats before they spread too far. Analysts at the Binary Defense Security Operations Center detect threats on our clients’ workstations and servers 24 hours a day and respond quickly to contain infections, preventing minor incidents from becoming a source of major damage across the company. To combat data exfiltration, consider adding a DLP (data loss prevention) solution as another layer of security. Organizations that don’t need FTP should also block outgoing FTP traffic where possible.