Delaware, USA – September 13, 2019 – The new infostealer exfiltrates documents containing keywords in the file name and has a number of similarities with Ryuk ransomware. This week, MalwareHunterTeam discovered an interesting sample that searches an infected system for the financial and military-related Word and Excel files and then sends them to the attackers’ server. After analyzing the malware, Vitali Kremez has discovered several references to infamous Ryuk ransomware. During the search. the infostealer ignores folders and files pointed in the hardcoded blacklist, which contains system folders and files associated with Ryuk infection. When a .xcls or .docx file is discovered, the malware verifies that it is indeed a document and then searches its name for at least one word from the list to determine whether this document can be of interest to attackers. In addition to the words related to the government, military and banking information, the list contains a number of first names that coincide with the most popular baby names in 2018. Perhaps this is how attackers identify personal information, the names also indicate that the main targets of the attackers are located in the United States. All documents found are immediately sent to the attackers’ FTP server. Upon completion of the search, the infostealer repeats the procedure on available network shares.
In addition to ignoring Ryuk related files, the researcher found other evidence of a connection between Infostealer and ransomware, such as searching for a specific file or the ability to create files with the .ryuk extension. Vitali Kremez assumes that the author had access to the Ryuk source code and used it to created new malware and has not yet cleared the code of excessive “artifacts”. The distribution methods are not yet known, perhaps the attackers use it before starting the file encryption process. Such attacks can be detected using the existing security solutions and Netflow Security Monitor rule pack, which enables real-time traffic profiling and discovers suspicious traffic spikes: https://my.socprime.com/en/integrations/netflow-security-monitor-kibana