Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

‘Ramsay’ Espionage Framework Can Exfiltrate Data From Air-Gapped Networks

A recently identified cyber-espionage framework is capable of collecting and exfiltrating sensitive information even from air-gapped networks, ESET reports.

A recently identified cyber-espionage framework is capable of collecting and exfiltrating sensitive information even from air-gapped networks, ESET reports.

Dubbed Ramsay, the framework appears to be in the development stage, with its operators still working on refining delivery vectors. Visibility of victims is low, either because the framework hasn’t enjoyed wide usage, or because of the targeting of air‑gapped networks.

Ramsay appears to have been under development since late 2019, and ESET’s security researchers believe that there are two maintained versions at the moment, each tailored based on the configuration of different targets.

Version 1 of the malware, which appears to have been developed in late September 2019, was being distributed via malicious documents looking to exploit CVE-2017-0199.

Version 2, dated March 2020, shows refined evasion and persistence, along with a spreader component and a rootkit. Two variants of this version were observed, one distributed through a decoy installer and the other through malicious documents exploiting CVE-2017-11882. The second variant lacks the spreader.

The spreader was designed as a file infector, embedding malicious Ramsay artifacts within PE executable files found on removable and network shared drives. Highly aggressive, the spreader modifies all of the PE executables found on the target drives.

For persistence, the framework uses multiple mechanisms: an AppInit DLL registry key, scheduled tasks via the COM API, and a technique known as Phantom DLL Hijacking (relies on outdated dependencies used by Windows applications).

“This [Phantom DLL Hijacking] persistence technique is highly versatile, enabling Ramsay agents delivered as DLLs to fragment their logic into separated sections, implementing different functionality tailored for the subject processes where the agent will be loaded. In addition, the use of this technique makes detection more difficult since the loading of these DLLs into their respective processes/services won’t necessarily trigger an alert,” ESET says.

Advertisement. Scroll to continue reading.

Ramsay’s list of capabilities includes file collection (targets all existing Microsoft Word documents within the target’s filesystem), command execution (without a network-based command and control (C&C) communication protocol, it relies on control files to receive three commands: file execution, DLL load, batch execution), and spreading (in addition to infecting files, Ramsay implements a network scanner to find machines vulnerable to EternalBlue).

The spreader, ESET reveals, reuses some tokens previously observed in the Retro backdoor, which was associated with the South Korea-linked threat actor referred to as DarkHotel. Both malware families use the same encoding algorithm for specific operations, and both save some of their log files in a similar manner (and share a similar filename convention), in addition to using the similar open-source tools among their toolsets.

“Finally, we noticed Korean language metadata within the malicious documents leveraged by Ramsay, denoting the use of Korean-based templates,” ESET also notes.

Related: Examining Triton Attack Framework: Lessons Learned in Protecting Industrial Systems

Related: ‘Attor’ Cyber-Espionage Platform Used in Attacks Aimed at Russia

Related: New Spyware Framework for Android Discovered

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.