Threat Management, Threat Management, Threat Intelligence, Malware

Ramsay spy framework built to subvert air-gapped defenses

Air-gapped networks aren't easily compromised, but they don't offer perfectly air-tight security either. Leveraging insider threats, infecting flash drives and other removable media, and conducting side-channel attacks are all techniques malicious actors can employ to spread malware to isolated systems.

Indeed, researchers at ESET are reporting the discovery of a new cyber espionage framework designed with the intention of doing just that. They call it Ramsay, and they say it's built to collect and exfiltrate documents while operating and propagating within air‑gapped networks.

In a company blog post, ESET malware researcher Ignacio Sanmillan says so far there are few known victims of Ramsay, which suggests the toolkit is still being refined by its developers. Or, worse, the true victim count is understated simply to due poor visibility of targeted organizations.

Either way, "The Ramsay malware proves that air-gapped networks are not completely immune to breaches," said Mordechai Guri, head of research and development at Ben-Gurion University of the Negev's Cyber-Security Research Center and chief scientific officer at Morphisec. Guri has extensive experience studying vulnerabilities in and exploits of air-gapped networks.

According to ESET's post, Ramsay is capable of rounding up existing Microsoft Word documents within a target’s filesystem, searching not just the system drive, but also network and removable drives (depending on the version of the malware).

The files are encrypted and saved in a directory and then compressed into an archive file. This file gets saved within the directory then generates container artifacts that are secretly appended to .doc files. "Even though affected documents will be modified, it won’t impact their integrity; each affected Word document remains fully operational after artifact appending has taken place," explains Sanmillan in the ESET blog post.

How Ramsay actually executes exfiltration of these artifacts, however, is unknown. ESET suspects an unidentified "external component" scans victims' file systems for magic values contained within the Ramsay containers in order to find artifacts for exfiltration.

Guri said Ben Gurion University has investigated and experimented with multiple possible methods of exfiltrating data and files from air-gapped networks. "In our research we are focusing on air gap covert channels: techniques for leaking the data from air gapped networks via electomagnetic, magnetic, optical, acoustic, thermal and even vibrational methods," said Guri.

Additionally, Ramsay scans all network shares and most removable drives for control files in order to leverage them for command execution, while a spreader component of the malware similarly scans these same shares and drives for propagation purposes.

"It is important to notice that there is a correlation between the target drives Ramsay scans for propagation and control document retrieval," the ESET blog post notes. "This assesses the relationship between Ramsay's spreading and control capabilities, showing how Ramsay's operators leverage the framework for lateral movement, denoting the likelihood that this framework has been designed to operate within air-gapped networks.

"The propagation technique mainly consists of file infection much like a prepender file infector in order to generate executables similar in structure to Ramsay’s decoy installers for every accessible PE file within the aforementioned targeted drives," Sanmillan explains.

For further lateral movement within a targeted organization, some Ramsay components can also scan for machines that are vulnerable to the SMB vulnerability known as EternalBlue, ESET reports.

ESET has linked some of Ramsay's artifacts with the Retro backdoor, which historically has been tied to the reputed Korean APT group DarkHotel.

"The Ramsay malware has all the hallmarks of a state-sponsored intelligence operation," said Chris Clements, security awareness advocate at Cerberus Sentinel. "It has capabilities to restrict its behavior to specific targets, which are typically not seen in general cybercrime malware built to infect indiscriminately."

Furthermore, "It's designed to spread itself onto air-gapped computers, which are found in the highest security networks such as those used by militaries and other intelligence organizations," Clements continued. "The presence of Korean language metadata and code similarities to the Retro malware strain by the DarkHotel group could indicate that the South Korean government is involved in Ramsay's creation, although attribution is fraught in these instances, as false-flag operations are techniques that can be used by intelligence agencies."

In related news, Trend Micro threats analyst Joey Chen this week reported that Tropic Trooper -- a threat actor that typically shows keen interest in companies operating in Hong Kong, Taiwan and the Philippines -- has recently been attempting to compromise air-gapped, isolated networks run by the Taiwanese and the Philippine militaries. Its weapon of choice: the USBferry trojan, a data-stealing malware that spreads via USB drives.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.