Researchers from ESET have shared some details about a never-before-seen piece of malware that is capable of stealing sensitive documents from air-gapped networks.
Dubbed Ramsay, the malware is a cyber-espionage framework that was initially spotted in VirusTotal. Digging deeper, the researchers discovered further components and versions of the framework, as well as evidence suggesting the Ramsay malware is currently at a developmental stage.
Ramsay compromises targeted computers through malicious documents, potentially sent via a spear-phishing email or dropped using a USB drive, and then exploits the old code execution vulnerabilities (CVE-2017-0199, CVE-2017-11882) in Microsoft Office to take hold on the system.
Once infecting a computer, the Ramsay malware collects all existing Word documents, PDFs, and ZIP archives within the target's filesystem and stores them to a pre-defined location on the same system or directly to a network or removable drives. It spreads itself to other computers being used within the same isolated facility by infecting all executable files available on a network shares and removable drives, the researchers said.
To achieve persistence on a system the malware uses various techniques (based on its version) such as AppInit DLL registry key, Scheduled Task via COM API, and Phantom DLL Hijacking.
“Based on the different instances of the framework found Ramsay has gone through various development stages, denoting an increasing progression in the number and complexity of its capabilities. Developers in charge of attack vectors seem to be trying various approaches such as old exploits for Word vulnerabilities from 2017 as well as deploying trojanized applications,” ESET said.
“Some stages of Ramsay’s framework are still under evaluation, which could explain the current low visibility of victims, having in mind that Ramsay’s intended targets may be under air-gapped networks, which would also impact victim visibility,” the researchers added.