The cyber-espionage toolkit is under active development.
A cyber-espionage malware has been discovered that’s capable of collecting and exfiltrating sensitive documents from within air‑gapped networks.
The malware, dubbed Ramsay, is still under active development — so far, researchers have found three different samples, with each sample adding new features. However, Ramsay’s targeting of air-gapped networks make the toolkit a formidable threat, researchers say. An air gap is a security measure to ensure that computer networks are physically isolated from other, potentially unsecured networks (such as the public internet or an unsecured local area network).
“Some stages of Ramsay’s framework are still under evaluation, which could explain the current low visibility of victims, having in mind that Ramsay’s intended targets may be under air-gapped networks, which would also impact victim visibility,” said researchers with ESET in a Wednesday analysis.
Researchers initially found an instance of Ramsay in VirusTotal, in a sample uploaded from Japan. The timestamps for the malware’s components imply that its framework has been under development since late 2019. The malware shares many artifacts with Retro, a backdoor malware associated with DarkHotel, a notorious APT group known to have conducted cyber-espionage operations since at least 2004 that has targeted government entities in China and Japan previously.
The Ramsay samples discovered by researchers have been leveraged in real-life attacks using multiple attack vectors. One of these is malicious RTF documents, while another was a binary masquerading as a 7zip installer. Once opened, these attempt to exploit a remote code execution vulnerability in the system (CVE-2017-0199), which exists in the way that Microsoft Office and WordPad parse specially crafted files.
An installer (lmsch.exe) is then executed (earlier versions instead used an agent, netwiz.exe) that then deploys various modules enabling various capabilities.
These modules execute several of the core capabilities of the malware. They gather all existing Microsoft Word documents (and in more recent versions, PDF files and .ZIP archives) within the target file systems, allow for privilege escalation (via UACMe instances), collect screenshots, and scan for network shares and removable drives, which the malware then uses for its spreading mechanism.
Later versions of Ramsay included a rootkit spreader. This spreader as acts a file-infection mechanism and changes the structure of benign Portable Executable (PE) files to embed malicious Ramsay artifacts. These are then triggered upon host file execution.
“The spreader is highly aggressive in its propagation mechanism, and any PE executables residing in the targeted drives would be candidates for infection,” said researchers. “This assesses the relationship between Ramsay’s spreading and control capabilities showing how Ramsay’s operators leverage the framework for lateral movement, denoting the likelihood that this framework has been designed to operate within air-gapped networks.”
Ramsay also implements several persistence methods, including setting a scheduled task to persist after reboot and executing components as service dependencies. The most notable persistence method however is what the researchers call “Phantom DLL Hijacking.” This method abuses the fact that many Windows applications use outdated dependencies not strictly necessary for the functionality of the application itself – allowing attackers to leverage malicious versions of these dependencies.
“This persistence technique is highly versatile, enabling Ramsay agents delivered as DLLs to fragment their logic into separated sections, implementing different functionality tailored for the subject processes where the agent will be loaded,” said researchers. “In addition, the use of this technique makes detection more difficult, since the loading of these DLLs into their respective processes/services won’t necessarily trigger an alert.”
Researchers also noted that, unlike most conventional malware, Ramsay does not have a network-based command-and-control (C2) communication protocol, and does not attempt to connect to a remote host for communication purposes: “Exfiltration of these artifacts is done via an external component that we haven’t been able to retrieve,” they said.
Researchers said that Ramsay continues to be under active development, particularly in its scanning of machines susceptible to various exploits. Newer versions of the toolkit for instance sniff out machines within the compromised host’s subnet that are susceptible to the EternalBlue SMBv1 vulnerability.
“Developers in charge of attack vectors seem to be trying various approaches, such as old exploits for Word vulnerabilities from 2017, as well as deploying trojanized applications potentially being delivered via spear-phishing,” said researchers.
Sample Hashes for Ramsay Malware
SHA1: f79da0d8bb1267f9906fad1111bd929a41b18c03 SHA256: e60c79a783d44f065df7fd238949c7ee86bdb11c82ed929e72fc470e4c7dae97
SHA1: 3849e01bff610d155a3153c897bb662f5527c04c SHA256: 22b2de8ec5162b23726e63ef9170d34f4f04190a16899d1e52f8782b27e62f24
SHA1: bd97b31998e9d673661ea5697fe436efe026cba1 SHA256: aceb4704e5ab471130e08f7a9493ae63d3963074e7586792e6125deb51e40976
SHA1: e7987627200d542bb30d6f2386997f668b8a928c SHA256: 610f62dd352f88a77a9af56df7105e62e7f712fc315542fcac3678eb9bbcfcc6
SHA1: ae722a90098d1c95829480e056ef8fd4a98eedd7 SHA256: 823e21ffecc10c57a31f63d55d0b93d4b6db150a087a92b8d0e1cb5a38fb3a5f
SHA1: 19bf019fc0bf44828378f008332430a080871274 SHA256: 823e21ffecc10c57a31f63d55d0b93d4b6db150a087a92b8d0e1cb5a38fb3a5f
SHA1: 5c482bb8623329d4764492ff78b4fbc673b2ef23 SHA256: cc7ac31689a392a2396f4f67d3621e65378604b16a2420ffc0af1e4b969c6689
SHA1: bd8d0143ec75ef4c369f341c2786facbd9f73256 SHA256: dede24bf27fc34403c03661938f21d2a14bc50f11297d415f6e86f297c3c3504
SHA1: 5a5738e2ec8af9f5400952be923e55a5780a8c55 SHA256: 6f9cae7f18f0ee84e7b21995a597b834a7133277637b696ba5b8eea1d4ad7af1