A cybersecurity researcher at ESET today published an analysis of a new piece of malware, a sample of which they spotted on the Virustotal malware scanning engine and believe the hacker behind it is likely interested in some high-value computers protected behind air‑gapped networks.
Dubbed ‘Ramsay,’ the malware is still under development with two more variants (v2.a and v2.b) spotted in the wild and doesn’t yet appear to be a complex attacking framework based upon the details researcher shared.
However, before reading anything further, it’s important to note that the malware itself doesn’t leverage any extraordinary or advanced technique that could let attackers jump air-gapped networks to infiltrate or exfiltrate data from the targeted computers.
According to the researcher, Ramsay infiltrates targeted computers through malicious documents, potentially sent via a spear-phishing email or dropped using a USB drive, and then exploits an old code execution vulnerability in Microsoft Office to take hold on the system.
‘Several instances of these same malicious documents were found uploaded to public sandbox engines, labeled as testing artifacts such as access_test.docx or Test.docx denoting an ongoing effort for trial of this specific attack vector,’ the researcher said.
Ramsay malware primarily consists of two main functionalities:
Collecting all existing Word documents, PDFs, and ZIP archives within the target’s filesystem and storing them to a pre-defined location on the same system or directly to a network or removable drives.
Spreading itself to other computers being used within the same isolated facility by infecting all executable files available on a network shares and removable drives.
According to the researcher, the Ramsay samples they found do not have a network-based C&C communication protocol, nor does any attempt to connect to a remote host for communication purposes.
Now the question arises, how the attackers are supposed to exfiltrate data from a compromised system.
Honestly, there’s no clear answer to this at this moment, but researcher speculate that the malware might have been ‘tailored for air‑gapped networks’ with similar scenarios—considering that the only option left is to physically access the machine and steal the collected data with a weaponized USB.
‘It is important to notice that there is a correlation between the target drives Ramsay scans for propagation and control document retrieval,’ the ESET researcher said.
“This assesses the relationship between Ramsay’s spreading and control capabilities showing how Ramsay’s operators leverage the framework for lateral movement, denoting the likelihood that this framework has been designed to operate within air-gapped networks.’
‘The current visibility of targets is low; based on ESET’s telemetry, few victims have been discovered to date. We believe this scarcity of victims reinforces the hypothesis that this framework is under an ongoing development process, although the low visibility of victims could also be due to the nature of targeted systems being in air-gapped networks,’ he added.
However, a lack of technical and statistical evidence doesn’t support this theory yet and remains a broad guess.
Moreover, since the malware is still under development, it’s too early to decide if the malware has only been designed to target air-gapped networks.
It likely possible that the future versions of the malware could have an implication to connect with a remote attacker-controlled server for receiving commands and exfiltrating data.
We have reached out to ESET researcher for more clarity on the ‘air-gap’ claim and will update this story once he responds.