New Ramsay malware can steal sensitive documents from air-gapped networks
Researchers from cyber-security firm ESET announced today that they discovered a never-before-seen malware framework with advanced capabilities that are rarely seen today.
Named Ramsay, ESET says this malware toolkit appears to have been designed to infect air-gapped computers, collect Word and other sensitive documents in a hidden storage container, and then wait for a possible exfiltration opportunity.
The Ramsay discovery is an important one because we rarely see malware that contains the capability to jump the air gap, considered the most strict and effective security protection measure that companies can take to safeguard sensitive data.
What are air-gapped networks
Air-gapped systems are computers or networks that are isolated from the rest of a company’s network and cut off from the public internet.
Air-gapped computers/networks are often found on the networks of government agencies and large enterprises, where they usually store top-secret documents or intellectual property.
Getting access to an air-gapped network is often considered the Holy Grail of any security breach, as these systems are often impossible to breach due to the air gap (lack of any connection to nearby devices).
New Ramsay malware can jump the air gap
In a report published today, ESET said it discovered a rare malware strain that appears to have been specifically developed to jump the air gap and reach isolated networks.
Based on what ESET has been able to glean from the Ramsay malware samples it discovered, attacks with the Ramsay toolkit have been seen operating by the following pattern:
- Victim receives an email with an attached RTF file.
- If the victim downloads and runs the document, the file tries to use the CVE-2017-1188 or CVE-2017-0199 vulnerabilities to infect the user with the Ramsay malware.
- The Ramsay “collector” module kicks in. This module searches the victim’s entire computer and gathers Word, PDF, and ZIP documents in a hidden storage folder.
- The Ramsay “spreader” module also kicks in. This module appends a copy of the Ramsay malware to all PE (portable executable) files found on removable drives and network shares.
- Malware waits until the attacker deploys another module that can exfiltrate the collected data.
ESET says that during its research, it was not able to identify any Ramsay exfiltration module just yet.
Nonetheless, ESET says the malware has been used in the wild.
“We initially found an instance of Ramsay in VirusTotal,” said ESET researcher Ignacio Sanmillan. “That sample was uploaded from Japan and led us to the discovery of further components and versions of the framework.”
Three Ramsay versions spotted already
ESET said they’ve been able to track down three different versions of the Ramsay malware framework, one compiled in September 2019 (Ramsay v1), and two others in early and late March 2020 (Ramsay v2.a and v2.b).
Sanmillan said ESET discovered “substantial evidence to conclude that this framework is at a developmental stage,” and that the hackers are still tinkering with the code.
For example, the email delivery methods have varied, and in recent Ramsay versions, the malware also collected PDF and ZIP files, on top of Word documents.
The researcher has not made a formal attribution as who might be behind Ramsay. However, Sanmillan said that the malware contained a large number of shared artifacts with Retro, a malware strain previously developed by DarkHotel, a hacker group believed to be operating in the interests of the South Korean government.