Security researchers at ESET have discovered a form of malware toolkit that appears to be designed to steal documents from air-gapped computers. The malware waits for a system to filter out from there.
ESET calls the malware Ramsay. The company discovered a sample of it on VirusTotal. The malware gets into a system in different ways. For example, Ramsay exploits multiple vulnerabilities in Microsoft Word, including CVE-2017-0199 and CVE-2017-11882. A patch has been available for both vulnerabilities for years, but the malware assumes it has not been deployed. In another case, the malware was spread through an infected 7zip installation.
If the victim opens the infected document, no contact is made with one command and controlserver, which happens with most malware infections. There are also other indications that Ramsay mainly focuses on air-gapped networks. After installation, the malware searches for specific Word documents and PDF and zip files. These are then placed in a hidden folder on the PC, where the files wait until they are removed from the PC. It is not clear exactly how the latter should be done. Just as the malware should be physically placed on a PC in the first place, it should also be physically removed. This is related to the characteristic of air-gapped networks; they are not connected to the internet, which usually makes them difficult to infect with malware.
The malware has several methods of spreading through a network. Some components of the malware include a scanner that checks for computers on a local network that are vulnerable to SMBv1 vulnerabilities, also known as EternalBlue. There is also a ‘Spreader’ component in the malware. It searches for network drives and removable disks such as USB sticks and HDDs. Ramsay puts portable executables on such disks. The executable then searches for new documents on another computer to infect and thus roll out the rest of the malware.
ESET says that the malware has several advanced methods of staying on a system. One is a technique also known as ‘phantom dll-hijacking’, where the malware is spread by old, disused dlls in Windows.
The company says it can be difficult to attribute. The researchers found some similarities to a malware module called Retro, which is used by the hacking group Darkhotel. That group is engaged in espionage campaigns in Asia.
ESET says it hasn’t encountered the malware much in the wild yet. According to the researchers, Ramsay is also still developing. For example, there would be multiple forms of the toolkit circulating, with newer versions also looking for other file formats. The ESET researchers also found examples of test files such as test.docx in the code. According to the company, the first form of the malware was released in September 2019, and two newer versions were updated in late March.