Recently Uncovered Ramsay Toolkit Still Under Development, Researchers Say
A recently discovered cyber-espionage toolkit called Ramsay is designed to infiltrate air-gapped networks to steal documents, take screenshots and compromise other devices, according to the security firm ESET.
The origins of Ramsay remain unclear. ESET researchers, however, have found at least three versions of the malware, which likely means the malicious toolkit is still under development, according to the company’s research report released this week.
The ESET researchers stumbled upon Ramsay in March after a version of the malware was uploaded to VirusTotal by someone in Japan.
Ramsay potentially poses an unusual threat because of its ability to penetrate and operate within air-gapped networks, which supposedly are more secure because their infrastructure is physically isolated and they’re separated from the internet and other unsecured connections. Large-scale industrial companies, such as power companies and oil and gas firms, as well as government agencies are among the most common users of these networks.
Once inside these air-gapped networks, Ramsay is capable of stealing information from Microsoft Word documents, PDF files and Zip archives, including data stored on a victims’ removable drives, the report notes. The malware also can take screenshots and further compromise devices for cyber espionage.
Because the Ramsay toolkit is new and remains under development, ESET researchers are not completely sure how it operates or how many targets may have been victimized.
Although rare, malware that can penetrate air-gabbed networks has previously been spotted in the wild. In 2016, for example, security firm Kaspersky and other analysts published reports on a malware variant called Sauron, which hid its presence within network protocols (see: Espionage Malware Penetrates Air-Gapped Networks).
3 Versions of Ramsay
During their analysis, the ESET researchers found three versions of Ramsay, with each using separate attack vectors to attempt to infiltrate air-gapped networks.
In the first version, which dates to September 2019, the operators of Ramsay use malicious rich text format documents to help plant the malware in a device. In this case, the malicious toolkit takes advantage of a vulnerability dubbed CVE-2017-0199, which affects multiple versions of Microsoft Office.
If the target opens the malicious document, a Visual Basic Script is executed that extracts the malware, which is hidden in a JPG image file, the report notes.
The second version of Ramsay, called Version 2.a, was the variant that the ESET researchers found uploaded to VirusTotal in March. This version of the malware is disguised as an installer for 7-Zip, an open source tool used to compress files.
Version 2.a contains a rootkit and spreader, which are designed to allow the malware to persist within a network and help Ramsay evade security tools and detection, according to the report. The researchers also discovered that the malicious toolkit contains a network scanner that searchers for devices that are not patched for the EternalBlue vulnerability in Windows.
By exploiting EternalBlue, Ramsay can then move laterally from device to device, which is one way that researchers suspect the malware can penetrate an air-gapped network. “This information will be contained within all logged information Ramsay collects and may be leveraged by operators in order to do further lateral movement over the network in a later stage via a different channel,” according to the report.
The third version of Ramsay, Version 2.b, operates in a similar way to Version 2.a, including using malicious documents to help it spread. But it leverages a different Microsoft Office vulnerability, called CVE-2017-11882, the report notes. This version dates to March 27.
Unlike other malware, Ramsay does not utilize a network-based command-and-control server to exfiltrate data or communicate with its operators, according to the report. Instead, the data exfiltration is done through what the ESET researchers call an “external component” that has not yet been identified.
Researchers found that Ramsay shares some code, tokens and other features that have been previously observed in a backdoor called Retro, which is used by an advanced persistent threat group called DarkHotel.
That group, which was first identified by Kaspersky researchers in 2007, is known to target victims in China, Russia, Japan and other parts of East Asia. Researchers suspect that the group has ties to South Korea. And hackers associated with the APT group were accused of targeting the World Health Organization in March (see: Hackers Targeted World Health Organization).