Researcher Finds New Malware Believed to be ‘Tailored for Air-Gapped Networks’
A cyber security researcher at ESET today published an analysis of a new malware sample he discovered on the Virustotal malware scanning engine and believes that the hacker behind the malware is likely to be interested in some high-performance computers protected by air-connected networks.
Malware with the designation Ramsay is still under development. Two other variants (v2.a and v2.b) have been discovered in nature and, according to researchers, do not yet appear to be a complex attack system.
However, before you continue reading, you should note that the malware itself does not use unusual or sophisticated techniques that could allow attackers to jump over above-ground networks to infiltrate or exfiltrate data from the attacked computers.
According to Ignacio Sanmillan, an investigator at ESET, Ramsay infiltrates target computers with malicious documents, possibly sent via a harpooning email or stored on a USB key, and then exploits an old code execution in Microsoft Office to hijack the system.
Several cases of the same malicious documents uploaded to public sandbox engines and marked as test artifacts such as access_test.docx or Test.docx were found, indicating continued efforts to test this particular attack vector, the investigator said.
Ramsay malware consists of two main functions:
Collect all existing Word, PDF and ZIP documents in the target system’s file system and store them in a pre-defined location on the same system or directly on a network or removable drive.
It spreads to other computers used in the same quarantine facility by infecting all executable files on a network share and on removable drives.
According to the researcher, the Ramsay samples found do not have a network-based C&C communication protocol and do not attempt to connect to an external host for communication purposes.
The question now arises as to how attackers should filter data from a compromised system.
To be honest, there is no clear answer to this question at the moment, but researchers speculate that the malware may be adapted to over-the-air networks with similar scenarios – given that the only remaining option is to physically access the computer and steal the collected data with an armed USB stick.
It is important to note that there is a correlation between the target readers that Ramsay scans for distribution and retrieval of control documents, the ESET researcher said.
It evaluates the relationship between the reproductive and control capabilities of ramsay and shows how ramsay operators use the frame for lateral movements, indicating how likely it is that the frame is designed to work in overhead networks.
The current visibility is poor; according to the ESET telemetry only a few have been detected so far. We believe that this scarcity reinforces the assumption that this framework is in a continuous process of development, although the low visibility is also due to the nature of the target systems in the air networks, he added.
However, the lack of technical and statistical evidence does not yet support this theory and remains a widespread assumption.
Moreover, since malware is still under development, it is still too early to decide whether the malware is targeted only at above-ground networks.
It is likely that future versions of the malware will connect to a server controlled by a remote attacker to receive commands and exfiltrate data.
We have contacted the ESET researcher to clarify the statement about the air gap and will update this story as soon as he responds.
SIDE EFFECT: Researcher explains air gap scenarios
Researcher Ignacio Sanmillan, who discovered and analyzed the Ramsay malware, explained the following to our readers.
All we have is a copy of the Ramsay agent, who only has the code to aggregate and compress the stolen data in a highly decentralized and secret way on the local file system of the infected host. Based on this, we assume that another component is responsible for scanning the file system, finding the compressed files and performing the actual exfiltration.
To the question of whether the attacker should rely on physical access for data exfiltration, Mr Sanmillan answers:
The attacker can do this in different ways. We haven’t seen how this operation was performed, but we do have some hypotheses about how the attacker could have done it. These are just our best guesses and pure speculations at this point, so please treat these two hypothetical scenarios as such.
Scenario 1 – Imagine that system A, connected to the internet and under the full control of ramsay operators, and system B, an airless computer infected with the ramsay pathogens. Imagine then that a legitimate user of these systems occasionally transfers files between the two systems using a removable drive.
If the drive is inserted into system A, the attacker may decide to place a special control file on the removable drive which, if connected to system B, would allow Ramsey’s agent Ramsey’s exfilter to run, which would be built to retrieve the stolen data in stages and copy it to the removable drive for later retrieval when the removable drive is connected to system A. This scenario is a variant of Sednit / APT28 with USB theft.
USBStealer systematically copied the stolen data to the removable drive used between System A and System B, while Ramsay staged the stolen data locally for later explicit exfiltration.
Scenario 2 – Imagine a Ramsay Agent running for days or weeks on a network monitored by air, making all the data it can find on the network drives and any removable drives connected to the system available on the local file system.
At some point the attacker decides it’s time to escape. It must physically access the infected system and either execute the code to run the Ramsay filter, or, if the system does not have full disk encryption, boot the system from a removable disk, mount the file system, scan for properly stolen data, and exit.
This scenario is more sophisticated and requires the physical presence of an operator/complicate, but could still be plausible as it would allow a very fast deployment on site.
To answer the question whether the author of the malware will be able to integrate an external C&C communication module in future versions, the researcher stated:
Ramsay has a number of common features implemented in all versions, namely the control file based protocol and the way artifacts involved in this protocol are recovered from removable storage devices and network shares.
This means that the evaluation was taken into account in the development of this malware, which indicates that it is possible to implement operational capabilities without any network connection.
It seems that if attackers were to rely on network artifacts, this would not be in line with the philosophy of this malware. We actually think that Ramsay may be in development, but we are very inclined to believe that they will not introduce a network-based exfiltration component.