Security Experts:

Connect with us

Hi, what are you looking for?



‘Ramsay’ Espionage Framework Can Exfiltrate Data From Air-Gapped Networks

A recently identified cyber-espionage framework is capable of collecting and exfiltrating sensitive information even from air-gapped networks, ESET reports.

A recently identified cyber-espionage framework is capable of collecting and exfiltrating sensitive information even from air-gapped networks, ESET reports.

Dubbed Ramsay, the framework appears to be in the development stage, with its operators still working on refining delivery vectors. Visibility of victims is low, either because the framework hasn’t enjoyed wide usage, or because of the targeting of air‑gapped networks.

Ramsay appears to have been under development since late 2019, and ESET’s security researchers believe that there are two maintained versions at the moment, each tailored based on the configuration of different targets.

Version 1 of the malware, which appears to have been developed in late September 2019, was being distributed via malicious documents looking to exploit CVE-2017-0199.

Version 2, dated March 2020, shows refined evasion and persistence, along with a spreader component and a rootkit. Two variants of this version were observed, one distributed through a decoy installer and the other through malicious documents exploiting CVE-2017-11882. The second variant lacks the spreader.

The spreader was designed as a file infector, embedding malicious Ramsay artifacts within PE executable files found on removable and network shared drives. Highly aggressive, the spreader modifies all of the PE executables found on the target drives.

For persistence, the framework uses multiple mechanisms: an AppInit DLL registry key, scheduled tasks via the COM API, and a technique known as Phantom DLL Hijacking (relies on outdated dependencies used by Windows applications).

“This [Phantom DLL Hijacking] persistence technique is highly versatile, enabling Ramsay agents delivered as DLLs to fragment their logic into separated sections, implementing different functionality tailored for the subject processes where the agent will be loaded. In addition, the use of this technique makes detection more difficult since the loading of these DLLs into their respective processes/services won’t necessarily trigger an alert,” ESET says.

Ramsay’s list of capabilities includes file collection (targets all existing Microsoft Word documents within the target’s filesystem), command execution (without a network-based command and control (C&C) communication protocol, it relies on control files to receive three commands: file execution, DLL load, batch execution), and spreading (in addition to infecting files, Ramsay implements a network scanner to find machines vulnerable to EternalBlue).

The spreader, ESET reveals, reuses some tokens previously observed in the Retro backdoor, which was associated with the South Korea-linked threat actor referred to as DarkHotel. Both malware families use the same encoding algorithm for specific operations, and both save some of their log files in a similar manner (and share a similar filename convention), in addition to using the similar open-source tools among their toolsets.

“Finally, we noticed Korean language metadata within the malicious documents leveraged by Ramsay, denoting the use of Korean-based templates,” ESET also notes.

Related: Examining Triton Attack Framework: Lessons Learned in Protecting Industrial Systems

Related: ‘Attor’ Cyber-Espionage Platform Used in Attacks Aimed at Russia

Related: New Spyware Framework for Android Discovered

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...