Twitter user @malwrhunterteam recently discovered an updated version of the “Ryuk Stealer” malware. Ryuk Stealer automatically searches for and steals files from infected computers. It is thought to be related to Ryuk ransomware because it shares some code similarities, but it is not clear whether it is used by the same threat actors. The update is fairly straightforward; it looks for a few additional file types and keywords in filenames to decide which files to exfiltrate. Ryuk Stealer currently sends stolen files to two FTP servers identified within the binary. Both FTP servers are currently down. The keywords being used imply that Ryuk Stealer is looking for banking, finance, law enforcement, and military documents with a few personal keywords as well. The full list of file extensions and keywords used can be found below.
.cpp, .h, .xls, .xlsx, .doc, .docx, .pdf, wallet.dat, .jpg
If files with the above extensions are found, Ryuk Stealer will check the contents of the file to see if any of the following words are found:
personal, securityN-CSR10-SBEDGAR, spy, radar, agent, newswire, marketwired, 10-Q, fraud, hack, defence, treason, censored, bribery, contraband, operation, attack, military, tank, convict, scheme, tactical, Engeneering, explosive, drug, traitor, suspect, cyber, document, embeddedspy, radio, submarine, restricted, secret, balance, statement, checking, saving, routing, finance, agreement, SWIFT, IBAN, license, Compilation, report, secret, confident, hidden, clandestine, illegal, compromate, privacy, private, contract, concealed, backdoorundercover, clandestine, investigation, federal, bureau, government, security, unclassified, seed, personal, confident, mail, letter, passport, victim, court, NATO, Nato, scans, Emma, Liam, Olivia, Noah, William, Isabella, James, Sophia, Logan, Clearance
The malware will also steal files if the filename contains any of the following keywords:
SECURITY, N-CSR, 10-SB, EDGAR, spy , radar, censored, agent, newswire, marketwired, 10-Q, fraud, hack, NATO, Nato, convictMilitary, military, submarine, Submarinesecret, Secret, scheme, tactical, Engeneering, explosive, drug, traitor, embeddedspy, radio, suspect, cyber, document, treasonrestricted, private, confident, important, pass, victim, court, hidden, bribery, contraband, operation, undercover, clandestine, investigation, federal, bureau, government, security, unclassified, concealed, newswire, marketwired, Clearance