A newly discovered cyber-espionage intrusion that is proficient in collecting and exfiltrating delicate documents from within air‑gapped networks. The malware is dubbed as Ramsay.
Currently, it is under active development. So far, Investigators have come three different samples, with each sample having some features. However, Researchers say that Ramsay’s targeting of air-gapped networks makes the toolkit a potential formidable threat. Typically, an air gap is a security measure used by computer networks to isolate itself from an unsecured network physically. for example the public internet or an unsecured local area network.
Researchers with ESET in a Wednesday analysis said, “Few stages of Ramsay’s framework were still under evaluation, which could potentially explain the prevailing low visibility of victims, having in mind that Ramsay’s intended targets may be under air-gapped networks, which would also impact victim visibility,”
Cybersecurity forensic analysts initially found the traces of Ramsay in VirusTotal. It was a sample uploaded from Japan. The timestamps and digital signatures for the intrusion’s components imply that its core has been under advancement since late 2019. The intrusive malware shares many ideologies with Retro, a backdoor malware associated with DarkHotel, a notorious APT group known to have convoyed cyber-crook formulae since at least 2004. Later it was also found that the malware targeted government entities of China and Japan beforehand.
Infection and its Insights
Those three samples discovered by the investigators have been practised in real-life attacks using several attack vectors. One of these appeared to be a malicious RTF document, while the other was a binary masquerading as a 7zip installer. Once these files are opened, they attempt to exploit a remote code execution vulnerability in the server (CVE-2017-0199). The vulnerability exists in the way that Microsoft Office and WordPad parse particularly crafted files.
Later an installer (lmsch.exe) is then prompted to execute, Although the previous versions used a malware agent, netwiz.exe. Further, it then deploys various modules having the ability to perform various intrusive capabilities. These modules collect all existing Microsoft Word documents comprising thee file extension such as PDF files, and.ZIP archives. After gathering it targets system file, allowing a gateway for privilege escalation via UACMe instances, collect screenshots, and scan for network shares and removable drives, later on, it replicates itself from one system to another.
Succeeding versions of Ramsay consisted of a rootkit spreader. This spreader comprises a file-infection mechanism that alters the arrangement of benign Portable Executable (PE) files to embed itself with malicious Ramsay artefacts. These are then dependent upon host file execution.
Security personnel claimed that its ability to spread is highly aggressive in its propagation mechanism, and any PE executables residing in the targeted drives would be candidates for infection. This appraises the relationship between Ramsay’s spreading and control capabilities. It clearly shows how Ramsay’s operators leverage the framework for parallel movement, meanwhile signifying the possibility that this framework has been devised to operate within air-gapped networks.
Some Other Peculiarities of Ramsay Malware
Ramsay is also loaded with several persistence methods just like the ability to matter settings so that it could schedule a task to persist after reboot including its power to execute components as service dependencies. The most striking persistence method, however, is what the investigators call “Phantom DLL Hijacking.” This method showcases its methodologies to abuse many windows applications because of its outdated dependencies that affected the functionality of the application itself. Hence, as a result, attackers have the privilege to leverage malicious versions of these dependencies.
“This persistence technique is highly versatile, enabling Ramsay agents delivered as DLLs to fragment their logic into separated sections, implementing different functionality tailored for the subject processes where the agent will be loaded,” said researchers. “In addition, the use of this technique makes detection more difficult, since the loading of these DLLs into their respective processes/services won’t necessarily trigger an alert.”
Apart from these, Researchers also found that, unlike most conventional malware, Ramsay does not have a network-based command-and-control (C2) communication protocol, and does not attempt to connect to a remote host for communication purposes:
Further investigation showed that newer versions of the toolkit, for instance, find out machines within the list of compromised host’s subnet that is susceptible to the EternalBlue SMBv1 vulnerability.