Malware analysis

Ramsay malware: What it is, how it works and how to prevent it | Malware spotlight

Introduction

The unique functionality of things normally makes them as much of a point of interest as an oddity. Malware is no exception to this notion and a malware framework known as Ramsay provides a great example of it. 

Unlike nearly every other malware, Ramsay has the ability to jump air gaps in an organization’s network to infect computers. 

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Start Learning

This article will detail what Ramsay is, how it works and how you can defend against it. This advanced functionality makes Ramsay particularly important for malware researchers to study and may provide knowledge useful in preventing malware with this functionality in the future.

What is Ramsay?

In September of 2019, researchers at ESET discovered a malware framework dubbed Ramsay. This malware was designed to jump air gaps in an organization’s network to infect computers that would otherwise be isolated from malware (unless a user installs an infected device such as a USB drive). 

Air gaps are generally considered to be one of the most effective and strict information security measures and are used extensively in both manufacturing and critical infrastructure. Attackers know this, which is why getting into an air-gapped network has been called the “Holy Grail” of security breaches.

Researchers have observed three different versions of Ramsay. Version 1 was distributed via malicious Office document attachments to emails which exploited CVE-2017-0199, a Microsoft Word remote execution flaw, to facilitate the malware installation. This exploit allows attackers to launch malicious code when an RTF document is launched. VirusTotal has discovered several different versions of these documents with indications that may have been used to test how well Ramsay performed vis-à-vis vendors’ static engines. 

Newer Ramsay versions, v2.a and v2.b, were observed being distributed as malicious installers masquerading as popular applications, including 7zip. These versions allowed for more aggressive spreading via infecting portable executable (PE) files residing on connected removable drives. Ramsay v2.b has been observed exploiting CVE-2017-11882, which allows for arbitrary code execution in different versions of MS Office as the current user and is a marked step-up of malicious functionality.

It should be noted that researchers have observed some shared artifacts in Ramsay that are also used in the Retro backdoor. While it is still not known for sure who is behind the Ramsay malware, the similarities it has with Retro may indicate that Darkhotel, an APT which is considered to be in the interests of the South Korean government, is behind it.

As the future unfolds, researchers are likely to discover more about this malware which will help in fighting the “spreading of its wings” or moving out of the realm of being focused on highly-targeted, specialized attack campaigns and into a broader attack landscape.

How Ramsay works

The main role of Ramsay is to gather ZIP, Word and PDF files, hide them in a concealed folder and then exfiltrate them at a later time. What is of more interest is how Ramsay jumps air gaps to infect computers. While it is still not entirely known how it does this, we do know some things. 

Malware cannot jump air gaps without some novel functionality that is as of yet unknown to the general information security public. This does not mean that air-gapped computers can’t become infected; when they do, it is normally due to infected removable drives. Researchers currently find that the most likely way for Ramsay to jump the air gap is by infecting PE on removable drives, where the malware is downloaded when the file is executed. This spreading mechanism was first witnessed in the later versions of this malware framework and has been described as highly aggressive.

After infection, several modules execute, which unleashes the core capabilities of the malware. These capabilities gather all ZIP files, Microsoft Word documents and PDF files. Ramsay then allows for escalation of privileges, scans for removable drives and network shares and takes screenshots. 

It is currently unknown exactly how Ramsay exfiltrates the files it collects from infected systems. Researchers at ESET believe that Ramsay uses an external component that scans the infected computer’s file system for the malware’s hidden storage container’s magic values to identify where the files are.

Ramsay does not have a network-based central communication protocol, such as a C2 server. Rather, it uses a decentralized control protocol that appears tailor-made for operating on an air-gapped system. 

In terms of persistence, the malware uses several mechanisms. These persistence mechanisms include:

• AppInit DLL registry key
• Phantom DLL hijacking
• Scheduled task via COM API

How to prevent Ramsay

So far, Ramsay’s victims have had a low visibility profile. This is likely because they are on air-gapped networks. With this said, this does not mean that the number of victims is truly as small as it seems. This is further obscured by the fact that portions of the malware are still under development, so we really have not seen it at full stride yet.

For those concerned with preventing Ramsay, most respected AV and anti-malware solutions can detect it. It is recommended to scan your removable drives and when you are not using them, simply disconnect them from your computer. While Ramsay may be able “jump” an air gap, it won’t be able to jump the gap of a disconnected removable drive.

If you are interested in researching Ramsay, here is its respective IOC (SHA):

 f79da0d8bb1267f9906fad1111bd929a41b18c03

e60c79a783d44f065df7fd238949c7ee86bdb11c82ed929e72fc470e4c7dae97

3849e01bff610d155a3153c897bb662f5527c04c

22b2de8ec5162b23726e63ef9170d34f4f04190a16899d1e52f8782b27e62f24

bd97b31998e9d673661ea5697fe436efe026cba1

aceb4704e5ab471130e08f7a9493ae63d3963074e7586792e6125deb51e40976

e7987627200d542bb30d6f2386997f668b8a928c

610f62dd352f88a77a9af56df7105e62e7f712fc315542fcac3678eb9bbcfcc6

ae722a90098d1c95829480e056ef8fd4a98eedd7

823e21ffecc10c57a31f63d55d0b93d4b6db150a087a92b8d0e1cb5a38fb3a5f

19bf019fc0bf44828378f008332430a080871274

823e21ffecc10c57a31f63d55d0b93d4b6db150a087a92b8d0e1cb5a38fb3a5f

5c482bb8623329d4764492ff78b4fbc673b2ef23

cc7ac31689a392a2396f4f67d3621e65378604b16a2420ffc0af1e4b969c6689

bd8d0143ec75ef4c369f341c2786facbd9f73256

dede24bf27fc34403c03661938f21d2a14bc50f11297d415f6e86f297c3c3504

5a5738e2ec8af9f5400952be923e55a5780a8c55

6f9cae7f18f0ee84e7b21995a597b834a7133277637b696ba5b8eea1d4ad7af1

Conclusion

Ramsay is a malware that has gained notoriety for specialization in targeting systems isolated by an air gap. The point of interest here is that it seemingly “jumps” this air gap, presumably by infecting PE files on the removable drives connected to an infected computer. The drive is then used on the isolated computer and gains its beachhead on that system when the file is executed. 

We are still learning more about this malware. Researchers are monitoring the situation and watching for Ramsay to widen its attack landscape.

 

Sources

1. Ramsay Malware Targets Air-Gapped Networks, Threatpost
2. Why On-Device Detection Matters: New Ramsay Trojan Targets Air-Gapped Networks, SentinelOne Blog
3. Ramsay: A New Cyber Espionage Toolkit to Steal Data from Air-Gapped Networks, CISO MAG
4. Are Air-Gapped Networks Enough to Stop Malware? They Might Not Be for Long, CPO Magazine