ESET analysts discovered the infrastructure of a previously unknown Ramsay malware with some very interesting features. Ramsay attacks and collects data from PCs, which are isolated from the outside world.
Having penetrated into such a system, the malware collects Word files and other confidential documents, hides them in a special concealed container and waits for the opportunity to transfer data outside.
“We discovered the first copy of Ramsay on VirusTotal. This sample was downloaded from Japan, and it led us to discovery of additional components and versions of the platform”, – say the experts.
Malware, designed to steal information from machines, which are physically isolated from any networks and potentially dangerous peripherals, is very rare. Such computers are mainly used in government systems and corporate networks, and, as a rule, on them stored secret documents, as well as other secret and confidential information, including, for example, intellectual property.
ESET researchers write that they managed to find three different versions of Ramsay, one of which was compiled in September 2019 (Ramsay 1), and the other two at the beginning and end of March 2020 (Ramsay 2.a and 2.b). Ramsay infiltrates the system through malicious documents that are distributed via phishing emails or via a USB drive. Next, malware uses the old RCE problem in Microsoft Office to “deploy” to the system.
All versions of the malware are different from each other and infect victims in different ways, but the essence remains unchanged: having penetrated the system, the malware needs to scan the infected computer, collects Word, PDF and ZIP files in a hidden folder and prepares them for subsequent transfer.
Some versions have a special distribution module that adds copies of Ramsay to all PE files found on removable drives and among network resources.
“Malware could use this mechanism for distribution to reach isolated machines and networks. After all, users can move infected executable files between different levels of the corporate network, and ultimately the malware will end up in isolated systems”, — say the researchers.
ESET analysts admit that they were unable to determine how Ramsay retrieves data, collected on isolated machines. Also, experts did not draw specific conclusions regarding the attribution of Ramsay, however, it is noted that the malware is similar to the Retro malware, which was developed by the South Korean hackers’ group DarkHotel.
Let me remind you that I recently wrote about another unusual attack, also applicable off-line – through the so-called BadUSB.