A new cyber-espionage framework has been unearthed by researchers at cybersecurity company ESET.
Dubbed “Ramsay,” the framework appears to be tailored for collecting and exfiltrating sensitive documents from air-gapped systems that are not connected to the internet or other online systems.
ESET believes that this framework is under an ongoing development process, because their research to date has revealed only a small number of victims. Malicious documents uncovered in their research of the framework and uploaded to public sandbox engines with titles such as “access_test.docx” or “Test.docx” seem to support this theory.
Researchers came across the previously unreported cyber-espionage framework while studying a suspicious data sample. Korean-language metadata were discovered within the malicious documents leveraged by Ramsay, denoting the use of Korean-based templates.
Alexis Dorais-Joncas, head of ESET’s Montreal-based research team, said: “We initially found an instance of Ramsay in a VirusTotal sample uploaded from Japan that led us to the discovery of further components and other versions of the framework along with substantial evidence to conclude that the framework is still in a developmental stage, with delivery vectors subject to fine testing.”
Although a relatively fresh arrival on the digital spy scene, Ramsay has already undergone several re-jigs. Researchers noted that the various discovered versions of Ramsay differ in complexity and sophistication, with the latest third version being the most advanced, especially with regard to evasion and persistence.
“Developers in charge of attack vectors seem to be trying various approaches such as old exploits for Word vulnerabilities from 2017 as well as deploying trojanized applications potentially being delivered via spear-phishing,” wrote researchers.
The architecture of the framework provides a series of capabilities that include file collection and covert storage, command execution, and highly aggressive file spreading.
In the more mature versions of Ramsay, researchers observed a technique sometimes referred to as “Phantom DLL Hijacking,” which takes advantage of Windows applications’ use of outdated dependencies to leverage malicious versions of those dependencies.
Ramsay’s primary goal is to collect all existing Microsoft Word documents within the victim’s file system. Depending on the Ramsay version in play, file collection is either restricted to the local system drive or involves a search of additional drives such as network or removable drives.