Ryuk Related Malware Steals Confidential Military, Financial Files – DigitalMunition




Hacking News Ryuk Related Malware Steals Confidential Military, Financial Files

Published on September 11th, 2019 📆 | 6316 Views ⚑

0

Ryuk Related Malware Steals Confidential Military, Financial Files

Ryuk

A new malware with strange associations to the Ryuk Ransomware has been discovered to look for and steal confidential financial, military, and law enforcement files.

While Ryuk Ransomware encrypts a victim’s files and then demands a ransom, it is not known for actually stealing files from an infected computer. A new infection discovered today by MalwareHunterTeam, does exactly that by searching for sensitive files and uploading them to a FTP site under the attacker’s control.

To make this sample even more interesting, this data exfiltrating malware also contains some strange references to Ryuk within the code.

Searching for confidential files

In conversations with reverse engineer and security researcher Vitali Kremez, we get an idea of how the file stealer works. When executed, the stealer will perform a recursive scan of all the files on a computer and look for Word .docx and Excel .xlsx files to steal.

When looking for files, if it encounters any folders or files that match certain strings, it will stop checking the file and move to the next one, similar to how ransomware would operate. 

A full list of the blacklisted files and folders are at the end of this article, including your standard ones such as “Windows”, “Intel”, “Mozilla”, “Public”, etc.

In addition, it also skips over any files that are associated with Ryuk such as “RyukReadMe.txt” and files with the “.RYK” extension.

Blacklisted Strings
Blacklisted Strings

If the file passes the blacklist, the stealer will then check if it is a .docx or .xlsx file as shown below.

Searching for .docx and .xlsx files
Searching for .docx and .xlsx files

When a .docx or .xlsx file is located, the stealer will use libzip and the zip_open and zip_trace functions to verify if the file is a valid Word or Excel document.  It does this by checking and validating the presence of the word/document.xml (word) or xl/worksheets/sheet (excel) files in the Office document.

Verifying Word Document
Verifying Word Document

If it is a valid file, it will then compare the file’s name against a list of  77 strings. All of the strings are listed at the end of the document and include entries like “marketwired”, “10-Q”, “fraud”, “hack”, “tank”, “defence”, “military”, “checking”, “classified”, “secret”, “clandestine”, undercover”, “federal”, etc.

Word of interest
Word of interest

As you can see the actor is looking for confidential military secrets, banking information, fraud, criminal investigation documents, and other sensitive information.

Strangely, it also looks for files that contain the first names “Emma”, “Liam”, “Olivia”,”Noah”, “William”, “Isabella”, “James”, “Sophia”, and “Logan”.

Matching files are then uploaded via FTP to the 66.42.76.46/files_server/a8-5 server as seen in the code below.

Stealing files by uploading to FTP Server
Stealing files by uploading to FTP Server

After scanning the local machine, the malware will then get a list of IP addresses from the computer’s ARP table. It then proceeds to search for files on any available shares.

Getting ARP Table
Getting ARP Table

It is not known how this malware is being installed, but it was theorized by BleepingComputer, Kremez, and MalwareHunterTeam, that this infection could be run prior to infecting a machine to harvest interesting files before they are encrypted.

Strange ties to Ryuk Ransomware

As we already discussed, this stealer purposely skips files associated with the Ryuk Ransomware such as RyukReadMe.txt, UNIQUE_ID_DO_NOT_REMOVE, and any files that have the .RYK extension.  

In addition, there are code similarities that the stealer and Ryuk Ransomware share in common. For example, the stealer contains a function that creates a new file and appends the .RYK extension as if it was encrypting the file. This function is not utilized by the stealer.

Stealer contains Ryuk's create file method
Stealer contains Ryuk’s create file method

The stealer also checks for the presence of a file named Ahnlab as shown below.

Stealer searching for Ahnlab
Stealer searching for Ahnlab

Kremez told BleepingComputer that Ryuk Ransomware also checks for the presence of this file as shown below. 

Ryuk Ransomware searching for Ahnlab
Ryuk Ransomware searching for Ahnlab

While there are definite ties between this stealer and Ryuk, it is not known if the actually from the same group or someone gained access to the code and utilized it in their own program.

“It might indicate someone with source access to Ryuk ransomware simply copy/pasted and modified code to make it a stealer or look like it,” Kremez told BleepingComputer in a conversation about this malware.

Furthermore, Ryuk runs without any dependencies when tested by BleepingComputer in the past, while this stealer appears to be a MingW executable that requires numerous DLLs to be present in order to properly execute.

This could indicate that the stealer is being installed manually or dropped as a package with all of the necessary components.

As more samples become available, we will hopefully see its install process in the future.

IOCs

Network communication:

FTP: 66.42.76.46/files_server/a8-5   

Blacklisted files and folders:

Sample
log
.dll
Sample
$Recycle.Bin
Tor
Package
RyukReadMe.txt
microsoft
UNIQUE_ID_DO_NOT_REMOVE
PUBLIC
Windows
Intel
PerfLogs
windows
Firefox
Mozilla
Microsoft
$WINDOWS
Program
\Users\Public\Pictures
MySQL
.txt
.xls
.xlsx
.doc
.docx
.docb
.pdf
.cpp
.h
.gov
.jpg
.zip
.rar
.RYK
wallet.dat

Targeted file name strings:

SECURITYN-CSR10-SBEDGAR
marketwired10-Q10Q8KfraudhackNSAFBI
CSI
secret
private
confident
important
pass
hidden
undercover
clandestine
investigation
federal
bureau
government
security
unclassified
concealed
newswire
marketwired
personal
securityN-CSR10-SBEDGAR spy radaragentnewswire
marketwired                                   
10-Q
fraud                                         
hack                                          
defence                                       
attack                                        
military                                      
tank                                          
secret                                        
balance                                       
statement                                     
checking                                      
saving                                        
routing                                       
finance                                       
agreement                                     
SWIFT                                         
IBAN                                          
license                                       
Compilation                                   
report                                        
secret                                        
confident                                     
hidden                                        
clandestine                                   
illegal                                       
compromate                                    
privacy                                       
private                                       
contract                                      
concealed                                     
backdoorundercover                            
clandestine                                   
investigation                                 
federal                                       
bureau                                        
government                                    
security                                      
unclassified                                  
seed                                          
personal                                      
confident                                     
mail                                          
letter                                        
passport                                      
scans                                         
Emma                                          
Liam                                          
Olivia                                        
Noah                                          
William                                       
Isabella                                      
James                                         
Sophia  
Logan



Source link

Download WordPress Themes Free
Download Premium WordPress Themes Free
Premium WordPress Themes Download
Free Download WordPress Themes
free online course

Tagged with:



Leave a Reply ✍


loading...