To counter the vulnerabilities found in an internet-connected machine, we’ve seen the use of air-gapped computers rise. These computers are those which are completely isolated by any outside network to increase security.
However, over the past few years, we have also seen air-gap malware become more common exploiting these so-called machines. An example is of a malicious framework discovered just recently by a cybersecurity firm named ESET with unique capabilities.
These centers around the ability of the malware to steal different documents including Word, PDF & Zip files, and then transmit them back to the attackers although it is unknown how this transmission is done in itself.
The malware named Ramsay has 3 different versions, each of them compiled on different dates and functioning in separate ways:
- Ramsay v1 – September 2019
- Ramsay v2.a – March 2020
- Ramsay v2.b – March 2020
Overview of Ramsay malware:
For example, in v1, the malware employs documents that contain a malicious visual basic script named “OfficeTemporary.sct” embedded within a JPG file. One this script is loaded, it unleashes the “Ramsay agent” letting the malware do its job.
However, the researchers from their analysis believe that subsequent versions of Ramsay are more complex in their nature evolving. These involve a “spreader component” that is used to infect portable executable (PE) files that could be found on both portable and network shared drives.
Talking about how the malware was named as such in the first place, this can be traced back to the discovery of it when the researchers found a sample uploaded to VirusTotal from Japan.
Some of the strings within it were found to contain the word “Ramsey”, resulting in its name as shown in the photo below:
Commenting further on their findings, the researchers stated in their blog post that;
This led us to the discovery of further components and versions of the framework, along with substantial evidence to conclude that this framework is at a developmental stage, with its delivery vectors still undergoing fine-tuning.
To conclude, we do not know of any specific group to be behind this framework as of yet. However, the researchers have elaborated on the fact that there were similarities between it and the Retro malware which may hint at its common origins lying with a hacking group named Darkhotel.
For those of you wanting to know more about such techniques, a look at previous air-gap attacks we’ve covered on HackRead.com can be a good starting point.