A cybersecurity researcher at ESET today published an analysis of a new piece of malware, a sample of which they spotted on the Virustotal malware scanning engine and believe the hacker behind it is likely interested in some high-value computers protected behind air‑gapped networks.
Dubbed ‘Ramsay,’ the malware is still under development with two more variants (v2.a and v2.b) spotted in the wild and doesn’t yet appear to be a complex attacking framework based upon the details researcher shared.
However, before reading anything further, it’s important to note that the malware itself doesn’t leverage any extraordinary or advanced technique that could let attackers jump air-gapped networks to infiltrate or exfiltrate data from the targeted computers.
According to ESET researcher Ignacio Sanmillan, Ramsay infiltrates targeted computers through malicious documents, potentially sent via a spear-phishing email or dropped using a USB drive, and then exploits an old code execution vulnerability in Microsoft Office to take hold on the system.
‘Several instances of these same malicious documents were found uploaded to public sandbox engines, labelled as testing artefacts such as access_test.docx or Test.docx denoting an ongoing effort for trial of this specific attack vector,’ the researcher said.
Ramsay malware primarily consists of two main functionalities:
- Collecting all existing Word documents, PDFs, and ZIP archives within the target’s filesystem and storing them to a pre-defined location on the same system or directly to a network or removable drives.
- Spreading itself to other computers being used within the same isolated facility by infecting all executable files available on a network shares and removable drives.
According to the researcher, the Ramsay samples they found do not have a network-based C&C communication protocol, nor does any attempt to connect to a remote host for communication purposes.
images from Hacker News