A new malware framework has been discovered by security researchers at cyber-security firm ESET that has the advanced capabilities which are not seen before.
The malware toolkit which has been dubbed as Ramsay are designed with features to infect air-gapped computers, collect Word and other sensitive documents in a hidden storage container, and then wait for a possible exfiltration chance.
It is very rare to find malware with the capability to jump the air gap which is considered to be the most effective security protection measure adopted by companies to safeguard sensitive data.
Air-gapped systems are computers or networks which are isolated from the rest of a company’s network and cut off from the public internet.
They are usually found on the networks of government agencies and large enterprises, where top-secret documents or intellectual property are saved.
It is very difficult to get access to an air-gapped network as there is no connection to nearby devices and so breach is considered impossible.
According to a report published by ESET, the rare malware strain discovered by them could jump the air gap and reach isolated networks.
The researchers managed to find three different versions of the Ramsay malware namely Ramsay v1, compiled in September 2019 and Ramsay v2.a and v2.b in early and late March 2020.
Each of these versions were different and use various techniques to infect the victims, but the main role of the malware was to scan an infected computer, and collect Word, PDF and ZIP documents in a hidden storage folder, ready to be exfiltrated at a later time.
It is believed that the malware jumps the airgap and reach isolated networks by using a spreader module included in it that can append copies of it to all PE (portable executable) files found on removable drives and network shares.
ESET could not positively identify Ramsay’s exfiltration module, or determine how the Ramsay operators retrieved data from air-gapped systems.
Ignacio Sanmillan, a researcher at ESET said that they initially found an instance of Ramsay in VirusTotal which was uploaded from Japan that led them to discover further components and versions of the framework.
It is not known who is behind the malware, but according to the researcher, the malware contained several shared artifacts with Retro, a malware strain earlier developed by a hacker group called DarkHotel, which is believed to operate in the interests of the South Korean government.