ESET Research Discovers Cyber Espionage Framework Ramsay
ESET researchers have discovered a previously unreported cyber espionage framework they dub Ramsay. The framework is tailored for collecting and exfiltrating sensitive documents from air-gapped systems that are not connected to the internet or other online systems. Since the number of victims so far is very low, ESET believes that this framework is under an ongoing development process.
According to ESET findings, Ramsay has gone through several iterations based on the different instances of the framework found, denoting a linear progression on the number and complexity of its capabilities. The developers in charge of infection vectors seem to be trying different approaches, such as using old exploits for Microsoft Word vulnerabilities from 2017 and deploying trojanized applications for delivery, potentially via spear-phishing. The three discovered versions of Ramsay differ in complexity and sophistication, with the latest third version being the most advanced, especially with regard to evasion and persistence.
Ramsay’sarchitecture provides a series of capabilities managed via a logging mechanism:
File collection and covert storage: The primary goal of this framework is to collect all existing Microsoft Worddocuments within a target’s file system.
Command execution: Ramsay’s control protocol implements a decentralized method of scanning and retrieving commands from control documents.
Spreading: Ramsay’s embeds a component that seems to be designed to operate within air-gapped networks.
For more technical details about Ramsay, read the blog post “Ramsay: A cyber espionage toolkit tailored for Air-Gapped Networks” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.
This entry was posted on May 15, 2020 at 12:09 pm and is filed under Commentary with tags ESET. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
ESET Research Discovers Cyber Espionage Framework Ramsay
ESET researchers have discovered a previously unreported cyber espionage framework they dub Ramsay. The framework is tailored for collecting and exfiltrating sensitive documents from air-gapped systems that are not connected to the internet or other online systems. Since the number of victims so far is very low, ESET believes that this framework is under an ongoing development process.
According to ESET findings, Ramsay has gone through several iterations based on the different instances of the framework found, denoting a linear progression on the number and complexity of its capabilities. The developers in charge of infection vectors seem to be trying different approaches, such as using old exploits for Microsoft Word vulnerabilities from 2017 and deploying trojanized applications for delivery, potentially via spear-phishing. The three discovered versions of Ramsay differ in complexity and sophistication, with the latest third version being the most advanced, especially with regard to evasion and persistence.
Ramsay’sarchitecture provides a series of capabilities managed via a logging mechanism:
For more technical details about Ramsay, read the blog post “Ramsay: A cyber espionage toolkit tailored for Air-Gapped Networks” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.
Share this:
Like this:
Related
This entry was posted on May 15, 2020 at 12:09 pm and is filed under Commentary with tags ESET. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.