Security Experts:

Connect with us

Hi, what are you looking for?



‘Ramsay’ Espionage Framework Can Exfiltrate Data From Air-Gapped Networks

A recently identified cyber-espionage framework is capable of collecting and exfiltrating sensitive information even from air-gapped networks, ESET reports.

A recently identified cyber-espionage framework is capable of collecting and exfiltrating sensitive information even from air-gapped networks, ESET reports.

Dubbed Ramsay, the framework appears to be in the development stage, with its operators still working on refining delivery vectors. Visibility of victims is low, either because the framework hasn’t enjoyed wide usage, or because of the targeting of air‑gapped networks.

Ramsay appears to have been under development since late 2019, and ESET’s security researchers believe that there are two maintained versions at the moment, each tailored based on the configuration of different targets.

Version 1 of the malware, which appears to have been developed in late September 2019, was being distributed via malicious documents looking to exploit CVE-2017-0199.

Version 2, dated March 2020, shows refined evasion and persistence, along with a spreader component and a rootkit. Two variants of this version were observed, one distributed through a decoy installer and the other through malicious documents exploiting CVE-2017-11882. The second variant lacks the spreader.

The spreader was designed as a file infector, embedding malicious Ramsay artifacts within PE executable files found on removable and network shared drives. Highly aggressive, the spreader modifies all of the PE executables found on the target drives.

For persistence, the framework uses multiple mechanisms: an AppInit DLL registry key, scheduled tasks via the COM API, and a technique known as Phantom DLL Hijacking (relies on outdated dependencies used by Windows applications).

“This [Phantom DLL Hijacking] persistence technique is highly versatile, enabling Ramsay agents delivered as DLLs to fragment their logic into separated sections, implementing different functionality tailored for the subject processes where the agent will be loaded. In addition, the use of this technique makes detection more difficult since the loading of these DLLs into their respective processes/services won’t necessarily trigger an alert,” ESET says.

Ramsay’s list of capabilities includes file collection (targets all existing Microsoft Word documents within the target’s filesystem), command execution (without a network-based command and control (C&C) communication protocol, it relies on control files to receive three commands: file execution, DLL load, batch execution), and spreading (in addition to infecting files, Ramsay implements a network scanner to find machines vulnerable to EternalBlue).

The spreader, ESET reveals, reuses some tokens previously observed in the Retro backdoor, which was associated with the South Korea-linked threat actor referred to as DarkHotel. Both malware families use the same encoding algorithm for specific operations, and both save some of their log files in a similar manner (and share a similar filename convention), in addition to using the similar open-source tools among their toolsets.

“Finally, we noticed Korean language metadata within the malicious documents leveraged by Ramsay, denoting the use of Korean-based templates,” ESET also notes.

Related: Examining Triton Attack Framework: Lessons Learned in Protecting Industrial Systems

Related: ‘Attor’ Cyber-Espionage Platform Used in Attacks Aimed at Russia

Related: New Spyware Framework for Android Discovered

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack