ESET discovers cyber espionage framework Ramsay

In News, Research

ESET researchers have discovered a previously unreported cyber espionage framework they dub Ramsay. The framework is tailored for collecting and exfiltrating sensitive documents from air-gapped systems that are not connected to the internet or other online systems. Since the number of victims so far is very low, ESET believes that this framework is under an ongoing development process.

“We initially found an instance of Ramsay in a VirusTotal sample uploaded from Japan that led us to the discovery of further components and other versions of the framework along with substantial evidence to conclude that the framework is still in a developmental stage, with delivery vectors subject to fine testing,” says Alexis Dorais-Joncas, head of ESET’s Montreal-based research team.

 

According to ESET findings, Ramsay has gone through several iterations based on the different instances of the framework found, denoting a linear progression on the number and complexity of its capabilities. The developers in charge of infection vectors seem to be trying different approaches, such as using old exploits for Microsoft Word vulnerabilities from 2017 and deploying trojanized applications for delivery, potentially via spear-phishing. The three discovered versions of Ramsay differ in complexity and sophistication, with the latest third version being the most advanced, especially with regard to evasion and persistence.

Ramsay’s architecture provides a series of capabilities managed via a logging mechanism:

  • File collection and covert storage: The primary goal of this framework is to collect all existing Microsoft Word documents within a target’s file system.
  • Command execution:Ramsay’s control protocol implements a decentralized method of scanning and retrieving commands from control documents.
  • Spreading:Ramsay’s embeds a component that seems to be designed to operate within air-gapped networks.

“Especially noteworthy is how the architectural design of Ramsay, especially the relationship between its spreading and control capabilities, allows it to operate in air-gapped networks – meaning networks that are not connected to the internet,” says Dorais-Joncas.

Comments

You may also read!

Okta, CrowdStrike, Netskope and Proofpoint partner to implement security strategy

Okta, CrowdStrike, Netskope, and Proofpoint today announced the companies are coordinating to help organizations implement an integrated, zero trust

Read More...

Three step process to mitigate cyber-attacks during the COVID-19 pandemic

With a majority of the organizations opting for remote working in the Middle East due to the COVID-19 pandemic,

Read More...

Cybereason publishes report on global Android mobile malware campaign

Cybereason today published new research from its Nocturnus Research team, titled, FakeSpy Masquerades as Postal Service Apps Around the

Read More...

Join Our Newsletter!

Love SecurityMEA? We love to tell you about our new stuff. Subscribe to newsletter!

Mobile Sliding Menu