In development: Ramsay malware steals documents from isolated networks

Ramsay framework can be used for espionage

Ramsay malwareRamsay malware steals data from air-gapped networks

A new malware strain, dubbed Ramsay, is capable of stealing sensitive information from air-gapped networks. Security researchers from ESET, who published the report on May 13,[1] claimed that the malware leverages several attack vectors to reach its targets, although there are very view victims so far:

The current visibility of targets is low; based on ESET’s telemetry, few victims have been discovered to date. We believe this scarcity of victims reinforces the hypothesis that this framework is under an ongoing development process, although the low visibility of victims could also be due to the nature of targeted systems being in air‑gapped networks.

Air-gapping is a network protection measure that isolates a set of computers from possible insecure connections, such as public hotspots or local area connection network. The method is often used by military, governmental, industrial, medical, and other critical systems and is considered to be one of the most secure ways of protecting a computer network from outside intrusions.[2]

With Ramsay, the attackers should be able to infect air-gapped computers and harvest sensitive documents and wait for a good opportunity to escape with the data. The malware possesses a unique set of capabilities that are rarely used in modern malware families, namely, breach of air-gapped networks.

First version of Ramsay was spotted in September last year

The malware was first spotted by ESET researchers back in September 2019, when back-then unknown malware sample was dropped to Virus Total from Japan. However, there were three different versions detected so far in total: Version 1, Version 2a, and Version 2b. No research was previously publicized about the strain, and researcher Ignacio Sanmillan published an analysis of all detected samples so far.

The two later samples, 2a and 2b, were spotted on March 8 and March 27, respectively. The first sample is the least complex from the three, while samples obtained in March were seen to have improved functionality; for example, rootkit function was implemented.

Each of the variants infects victims in different ways:

  • Ramsay v1 would exploit CVE-2017-0199[3] via malicious documents. The vulnerability affects MS Office applications, Windows Vista, and Windows Server 2008/2012 and allows the execution of arbitrary code.
  • Ramsay v2.a was spread as a fake 7zip installation file. The variant shows more persistence and avoidance techniques from its predecessor, and also possesses spreader and rootkit components.
  • Ramsay v2.b abuses malicious documents via CVE-2017-11882[4] – another MS Office flaw that allows the attackers to run arbitrary code. Researchers found that this version no longer used the spreader component.

The spreader module allows the malware to attach itself to all portable executables located on removable drives and network shares. Researchers think that this component allows Ramsay to jump the air gap, as PE's are often used between different computers, finally landing on the air-gapped network.

To stay on the network undetected, Ramsay uses a variety of persistence techniques, including usage of AppInit DLL registry key, Scheduled Task via COM API, and Phantom DLL Hijacking.

Malware still in development

Ramsay malware leverages several different attack methods and uses advanced methods to jump the air-gap for the information gathering process. Attackers could also use the threat to move laterally within the network, gathering all the sensitive information and login details in the process.

Judging by different features that were employed in various Ramsay versions, it is believed to be in development stages only. The malware is a great find by researchers, as it will allow further research when threat actors behind it begin broader operations, most likely targeting government and military institutions for espionage purposes.

ESET team was not able to pinpoint how the attackers exfoliate the sensitive information from the air-gapped networks. The data is prepared for harvesting, however. Additionally, the security firm can not identify, or find any hints on, who is behind Ramsay, although researchers found similarities to Retro[5] backdoor:

Shared artifacts were found alongside the Retro backdoor. This malware has been associated with Darkhotel, a notorious APT group known to have conducted cyber-espionage operations since at least 2004, having targeted government entities in China and Japan in the past.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions