Experts have discovered a new type of malware called Ramsay, which can infect computers with an air raid and steal sensitive data, including Word, PDF and ZIP files.

Researchers at security company ESET have discovered an advanced new malicious infrastructure called Ramsay, which is apparently designed to infect computers with an air raid and filter sensitive data.

The malicious code collects sensitive files, including Word, PDF and ZIP files, into a hidden folder in memory and then waits to filter them out.

ESET researchers have discovered a previously unregistered cyber-espionage system called Ramsay, which is used to collect and filter sensitive documents and is capable of operating in air traffic networks.

The malware is specifically designed to jump over a layer of air and attack computers with isolated networks in order to steal sensitive information.

The researchers found Ramsay’s sample after it was uploaded to VirusTotal from Japan, and then found other components and versions of the frame – a fact that suggests that the frame is still in active development.

Experts estimate that there are at least three variants of monitored malware, v1, v2.a and v2.b Ramsay v1 was first compiled in September 2019 and is also the least complex.

The samples v2.a and v2.b were collected on day 8 and 27 respectively. Mars, which both contain the rootkit component, but experts found that only 2.a implements the distribution capabilities.

Experts report that less complex versions of malware are rejected by weapons documents that exploit the vulnerabilities of CVE-2017-0199 and CVE-2017-11882, CER.

Ramsay v2.a comes with a dummy installer for a 7-zip file compression program.

New Ramsay malware allows you to exfilt files from airborne computersSecurity Affairs

With Ramsay, attackers can collect all Microsoft Word documents on the target machine, with the latest options they can also filter PDF files and ZIP archives on network drives and removable media.

ESET researchers were unable to identify a Ramsay exfiltration module used by the malicious code.

ESET did not attribute the Ramsay malware to any specific threat actor; the researchers simply found some similarities with the family of retro malware used by the DarkHotel APT group.

New Ramsay malware allows you to exfilt files from airborne computersSecurity Affairs

On the basis of various examples in the framework found, Ramsay has gone through various stages of development, which indicates the increasing number and complexity of his competencies. The developers responsible for the attack vectors seem to be trying out different approaches, such as the old exploits for Word vulnerabilities from 2017 and the implementation of Trojan applications.

We interpret this so that developers have a prior understanding of the victim’s environment and configure attack vectors that can successfully penetrate the target systems without spending unnecessary resources.

Pierluigi Paganini

(Security issues – Ramsay malware, hacking)