According to ESET, a recently discovered cyber-espionage system is capable of collecting and filtering sensitive information, even from airborne networks.
The structure known as ramsay appears to be under development and its operators are still working on the vectors for the supply of petroleum products. Visibility of the victim is poor, either because the system is not widely used or because the air suspension nets are used selectively.
Ramsay appears to have been under development since the end of 2019 and ESET safety researchers believe that there are currently two supported versions, each tailored to the configuration of different targets.
Version 1 of the malware, which appears to have been developed at the end of September 2019, was released through malicious documents that attempted to use the CVE-2017-0199.
Version 2, dated March 2020, shows subtle avoidance and resistance, as well as the diffusion element and the rootkit. There were two versions of this release, one distributed via the bait installer and the other via malicious documents using the CVE-2017-11882. The second version lacks a retractor.
The expander is designed as a file infection that incorporates malicious Ramsay artifacts into PE executable files located on removable media and network drives. The diffuser is extremely aggressive in modifying all PE executable files found on the target drives.
The framework makes use of different stability mechanisms: AppInit DLL registry keys, scheduled tasks via COM API and a technique known as Phantom DLL hijacking (based on outdated dependencies used by Windows applications).
This technique of persistence [Ghost DLL hijacking] is extremely versatile and allows Ramsay agents delivered as DLLs to fragment their logic into different sections and implement different functionalities that are tailored to the processes of the subject the agent is in charge of. Moreover, the use of this technique makes detection more difficult because loading these DLL’s in the right process/services does not necessarily cause an alarm, according to the ESET.
Ramsay’s list of functions includes file collection (which focuses on all existing Microsoft Word documents in the target file system), execution of commands (without the Network Communication and Control (C&C) protocol, it relies on control files to obtain three commands: File execution, DLL download, Batch), and distribution (in addition to infecting files, Ramsay sets up a network scanner to find machines vulnerable to EternalBlue).
The assignor with ESET recycles some of the previously observed tokens in the back door of a retro that was linked to a threatening player connected to South Korea, called DarkHotel. Both families of malware use the same encryption algorithm for certain operations, and both store some of their log files in a similar way (using the same filename convention) and use similar open source tools in their toolkits.
Finally, we noticed that Korean metadata in malicious documents used by Ramsay, indicating the use of Korean templates, ESET also noted.
That’s what it looks like: Investigating the pattern of Triton’s attacks: Lessons learned to protect industrial systems
That’s what it looks like: The cyber-espionage platform Uttor, which was used in the attacks on Russia.
That’s what it looks like: New spy framework detected for Android
Ionat Argir is the international correspondent for Security Week.
Previous chronicles of Ionat Argir: