ESET found Ramsay malware targeting systems isolated by an air gap

Researchers at network security company ESET announced that they have discovered an unprecedented malware framework with advanced features that are rare today.
ESET named the malware framework Ramsay, indicating that the malware toolkit is designed to infect physically isolated computers. Word and other sensitive documents can be hidden in a hidden storage container, waiting for a suitable leak.
Ramsay is a major discovery because the security community rarely sees malware that can attack physically isolated devices. Generally speaking, physical isolation allows companies to take the most stringent and effective security measures for sensitive data.

Physical isolation system is a computer or network that is isolated from the rest of the company’s network and disconnected from the public Internet. Physically isolated computers/networks often appear in networks of government agencies and large enterprises. They usually store top secret files or intellectual property. Penetrating a physically isolated network is often regarded as the holy grail of security breaches because it is extremely difficult to destroy or penetrate a physically isolated system.

ESET pointed out in a report released that Ramsay is almost specifically developed to break the physical isolation network.
According to the information collected by ESET, attacks using the Ramsay toolbox can be carried out in the following modes:

• The victim will receive an email with an attachment to the RTF file.
• If the victim downloads and runs the document, the file will attempt to exploit the CVE-2017-1188 or CVE-2017-0199 vulnerability to infect the user with Ramsay malware.
• Ramsay’s collector module will start. The module searches the victim’s entire computer and collects Word, PDF, and ZIP documents into a hidden folder.
• Ramsay’s propagator module will also be launched. This module adds a copy of Ramsay malware to all PE files found on removable drives and network shares.
• The malware will wait until the attacker deploys another module that can steal the collected data.

ESET stated that during the study, no data extraction module for Ramsay has been found. Nevertheless, ESET stated that malware has been widely used.
ESET researcher Ignacio Sanmillan said: “We initially found an instance of Ramsay in VirusTotal. That sample was uploaded from Japan and led us to the discovery of further components and versions of the framework, along with substantial evidence to conclude that this framework is at a developmental stage, with its delivery vectors still undergoing fine-tuning.” For example, email delivery methods are diverse. In the latest Ramsay version, the malware also collected PDF and ZIP files in addition to Word documents.

ESET stated that they have tracked three different versions of the Ramsay malware framework, one of which was compiled in September 2019 (Ramsay v1), and the other two versions were compiled from early March to late March 2020 (Ramsay v2.a And v2.b). The researchers have not yet officially attributed it to who may be behind Ramsay.