‘Ramsay’ Espionage Framework Can Exfiltrate Data From Air-Gapped Networks

A recently identified cyber-espionage framework is capable of collecting and exfiltrating sensitive information even from air-gapped networks, ESET reports.

Dubbed Ramsay, the framework appears to be in the development stage, with its operators still working on refining delivery vectors. Visibility of victims is low, either because the framework hasn’t enjoyed wide usage, or because of the targeting of air‑gapped networks.

Ramsay appears to have been under development since late 2019, and ESET’s security researchers believe that there are two maintained versions at the moment, each tailored based on the configuration of different targets.

Version 1 of the malware, which appears to have been developed in late September 2019, was being distributed via malicious documents looking to exploit CVE-2017-0199.

Version 2, dated March 2020, shows refined evasion and persistence, along with a spreader component and a rootkit. Two variants of this version were observed, one distributed through a decoy installer and the other through malicious documents exploiting CVE-2017-11882. The second variant lacks the spreader.

The spreader was designed as a file infector, embedding malicious Ramsay artifacts within PE executable files found on removable and network shared drives. Highly aggressive, the spreader modifies all of the PE executables found on the target drives.

For persistence, the framework uses multiple mechanisms: an AppInit DLL registry key, scheduled tasks via the COM API, and a technique known as Phantom DLL Hijacking (relies on outdated dependencies used by Windows applications).

“This [Phantom DLL Hijacking] persistence technique is highly versatile, enabling Ramsay agents delivered as DLLs to fragment their logic into separated sections, implementing different functionality tailored for the subject processes where the agent will be loaded. In addition, the use of this technique makes detection more difficult since the loading of these DLLs into their respective processes/services won’t necessarily trigger an alert,” ESET says.

Ramsay’s list of capabilities includes file collection (targets all existing Microsoft Word documents within the target’s filesystem), command execution (without a network-based command and control (C&C) communication protocol, it relies on control files to receive three commands: file execution, DLL load, batch execution), and spreading (in addition to infecting files, Ramsay implements a network scanner to find machines vulnerable to EternalBlue).

The spreader, ESET reveals, reuses some tokens previously observed in the Retro backdoor, which was associated with the South Korea-linked threat actor referred to as DarkHotel. Both malware families use the same encoding algorithm for specific operations, and both save some of their log files in a similar manner (and share a similar filename convention), in addition to using the similar open-source tools among their toolsets.

“Finally, we noticed Korean language metadata within the malicious documents leveraged by Ramsay, denoting the use of Korean-based templates,” ESET also notes.

Related: Examining Triton Attack Framework: Lessons Learned in Protecting Industrial Systems

Related: ‘Attor’ Cyber-Espionage Platform Used in Attacks Aimed at Russia

Related: New Spyware Framework for Android Discovered