Ryuk has now emerged within a new guise. In brief, the new strain of Ryuk Stealer exhibits advanced properties that enable it to target government and military sectors.
Ryuk Malware Stealer Revamped
Researchers from the MalwareHunterTeam have discovered a new Ryuk Stealer malware with advanced additions. The new strain is capable of aiming at high-profile targets such as military, government, finance, and banking sectors.
While the earlier Ryuk Stealer malware specifically targeted Word and Excel files, the new version has more targets. According to Vitali Kremez, it now targets seven file types including more Word and Excel files (other than docx and xlsx), pdf, jpg, C++ source code, and crypto-wallets.
When the stealer detects a file with a recognized extension, it then scans it for the presence of certain keywords.
Upon finding the desired document, it then uploads the file to the attackers’ FTP site.
As evident from the targeted words list that includes words like ‘SWIFT’, ‘IBAN’, ‘radar’, ‘tactical’, EDGAR’, ‘newswire’, ‘federal’, ‘bureau’, and ‘investigation’, the new stealer clearly aims at pilfering sensitive information from government, military, and financial institutions.
It also specifically focuses on personal information of victims. It even includes some common names, such as ‘Liam’, ‘Olivia’, ‘James’, ‘Emma’, ‘Noah’, ‘Sophia’, ‘William’, ‘Isabella’, and ‘Logan’. Interestingly, all of these names are included in the ‘Top 5 Names in Each of the Last 100 Years’ list by the US Social Security Department.
Who Is Behind The New Stealer?
Though, the identity of the threat actor(s) behind this malware isn’t clear. Vitali Kremez told Bleeping Computer that they might be the same actors who devised Ryuk.
It is likely the same actor with the access to the earlier Ryuk version who repurposed the code portion for this stealer.
Moreover, the distribution of this malware in the wild and its possible bundling with other malware/ransomware is also not clear. It was only possible to detect this stealer as Ryuk owing to the leftover artifacts.
Therefore, the internet users must remain extremely cautious of any phishing emails, suspicious attachments, remote connections, and should ensure keeping their systems updated to avoid potential mishaps.