A new malware toolkit has been discovered that appears to have been developed to steal sensitive data from air-gapped networks. Researchers at ESET have named the malware Ramsay and report it has a range of advanced features that allow it to keep under the radar and steal highly sensitive data from victims.
One of the most effective ways of protecting sensitive data is to ensure that it is not saved on any device accessible through the internet and is isolated from the rest of the corporate network. These isolated systems are used to store highly sensitive intellectual property and top secret documents. Air-gapped networks are used by governments and large enterprises to ensure that even in the event of a major cyberattack their most sensitive data cannot be accessed.
While there have been several proof of concept attacks that have potential to allow the air gap to be jumped, in practice conducting an attack that makes the jump to an air-gapped system is close to impossible. Enter Ramsay malware.
ESET reports that Ramsay malware appears to have been developed specifically to target air-gapped systems and reach isolated networks where extremely valuable data is stored. The researchers have identified three versions of Ramsay malware, the first dating back to September 2019. Each uses a different method to infect a victim, but the core functions are the same in each of the three versions. The first version has been distributed using malicious documents that exploit the vulnerability CVE-2017-0199, the second was delivered using a 7zip installer, and the third used malicious documents that exploited the vulnerability CVE-2017-11882.
Once it is installed, Ramsay malware scans for Word, PDF, and ZIP files and creates a copy, encrypts the files, and stores them in a hidden folder on the system for exfiltration. The malware also has a module designed to spread a copy of itself onto other systems, including those that are air gapped. The malware searches for all portable executable files on network shares and removable drives and appends a copy of itself to the file. When the file is run, the malware will be installed.
This method of spreading allows the malware to get around network segmentation practices. The malware will be installed whenever a PE file is copied from one device to another and will eventually see a copy of itself installed on an air-gapped system. There is no communication with a command and control server, which allows it to stay hidden. The malware appears to be under active development and the researchers have reported that the malware has been used in real-world attacks.
While the researchers at ESET were able to determine how the malware works and spreads, they have not yet determined how the malware exfiltrates data from air-gapped systems. The researchers believe data theft occurs using an external component that they have not yet identified.
It is not known who is behind the malware, but the researchers identified several artifacts which are shared with the malware Retro, which has been used by the DarkHotel hacking group that is affiliated with South Korea. DarkHotel has been active since at least 2004 and has conducted attacks on several targets in China and Japan.