ESET Research Discovers Cyber Espionage Framework Ramsay

ESET researchers have discovered a previously unreported cyber espionage framework they dub Ramsay. The framework is tailored for collecting and exfiltrating sensitive documents from air-gapped systems that are not connected to the internet or other online systems. Since the number of victims so far is very low, ESET believes that this framework is under an ongoing development process. 

According to ESET findings, Ramsay has gone through several iterations based on the different instances of the framework found, denoting a linear progression on the number and complexity of its capabilities. The developers in charge of infection vectors seem to be trying different approaches, such as using old exploits for Microsoft Word vulnerabilities from 2017 and deploying trojanized applications for delivery, potentially via spear-phishing. The three discovered versions of Ramsay differ in complexity and sophistication, with the latest third version being the most advanced, especially with regard to evasion and persistence.

Ramsay’sarchitecture provides a series of capabilities managed via a logging mechanism:

  • File collection and covert storage: The primary goal of this framework is to collect all existing Microsoft Worddocuments within a target’s file system.
  • Command execution: Ramsay’s control protocol implements a decentralized method of scanning and retrieving commands from control documents.
  • Spreading: Ramsay’s embeds a component that seems to be designed to operate within air-gapped networks.

For more technical details about Ramsay, read the blog post “Ramsay: A cyber espionage toolkit tailored for Air-Gapped Networks” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: