Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

‘Ramsay’ Espionage Framework Can Exfiltrate Data From Air-Gapped Networks

A recently identified cyber-espionage framework is capable of collecting and exfiltrating sensitive information even from air-gapped networks, ESET reports.

A recently identified cyber-espionage framework is capable of collecting and exfiltrating sensitive information even from air-gapped networks, ESET reports.

Dubbed Ramsay, the framework appears to be in the development stage, with its operators still working on refining delivery vectors. Visibility of victims is low, either because the framework hasn’t enjoyed wide usage, or because of the targeting of air‑gapped networks.

Ramsay appears to have been under development since late 2019, and ESET’s security researchers believe that there are two maintained versions at the moment, each tailored based on the configuration of different targets.

Version 1 of the malware, which appears to have been developed in late September 2019, was being distributed via malicious documents looking to exploit CVE-2017-0199.

Version 2, dated March 2020, shows refined evasion and persistence, along with a spreader component and a rootkit. Two variants of this version were observed, one distributed through a decoy installer and the other through malicious documents exploiting CVE-2017-11882. The second variant lacks the spreader.

The spreader was designed as a file infector, embedding malicious Ramsay artifacts within PE executable files found on removable and network shared drives. Highly aggressive, the spreader modifies all of the PE executables found on the target drives.

For persistence, the framework uses multiple mechanisms: an AppInit DLL registry key, scheduled tasks via the COM API, and a technique known as Phantom DLL Hijacking (relies on outdated dependencies used by Windows applications).

“This [Phantom DLL Hijacking] persistence technique is highly versatile, enabling Ramsay agents delivered as DLLs to fragment their logic into separated sections, implementing different functionality tailored for the subject processes where the agent will be loaded. In addition, the use of this technique makes detection more difficult since the loading of these DLLs into their respective processes/services won’t necessarily trigger an alert,” ESET says.

Advertisement. Scroll to continue reading.

Ramsay’s list of capabilities includes file collection (targets all existing Microsoft Word documents within the target’s filesystem), command execution (without a network-based command and control (C&C) communication protocol, it relies on control files to receive three commands: file execution, DLL load, batch execution), and spreading (in addition to infecting files, Ramsay implements a network scanner to find machines vulnerable to EternalBlue).

The spreader, ESET reveals, reuses some tokens previously observed in the Retro backdoor, which was associated with the South Korea-linked threat actor referred to as DarkHotel. Both malware families use the same encoding algorithm for specific operations, and both save some of their log files in a similar manner (and share a similar filename convention), in addition to using the similar open-source tools among their toolsets.

“Finally, we noticed Korean language metadata within the malicious documents leveraged by Ramsay, denoting the use of Korean-based templates,” ESET also notes.

Related: Examining Triton Attack Framework: Lessons Learned in Protecting Industrial Systems

Related: ‘Attor’ Cyber-Espionage Platform Used in Attacks Aimed at Russia

Related: New Spyware Framework for Android Discovered

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.