Cybersecurity software provider and researcher ESET has discovered a previously unreported cyber espionage malware toolkit purpose-built to rifle files from air-gapped networks.
Air-gap networks have no interfaces connected to other networks and are physically isolated from unsecured networks, such as the public internet or an unsecured local area network. Infecting and exfiltrating data from air-gap networks is difficult.
The hacking tool, which ESET dubbed Ramsay due to some of the strings contained in a particular binary using “Start Ramsay” and “Injected Ramsay,” uses a local file system on a victim’s computer to slip data from an air-gapped network. The security specialist said it made public its discovery figuring that exposure might help pin down the unknown hackers.
ESET initially found an instance of Ramsay in suspicious file analyzer VirusTotal, Ignacio Sanmillan, an ESET malware researcher, wrote in a blog post. “That sample was uploaded from Japan and led us to the discovery of further components and versions of the framework, along with substantial evidence to conclude that this framework is at a developmental stage, with its delivery vectors still undergoing fine-tuning.”
Ramsay scans all the network shares and removable drives (other than floppy drives) for potential control files, Sanmillan wrote. It exploits old vulnerabilities in Microsoft Word from 2017, looking for .docx files and in newer versions seeking PDF files and ZIP archives. “Unlike most conventional malware, Ramsay does not have a network-based communication protocol nor does any attempt to connect to a remote host for communication purposes,” he said.
So far, Ramsay has claimed only a few victims, which ESET thinks owes either to the ongoing development of the framework or that the targeted systems are difficult to penetrate air-gapped networks. There’s some evidence seen in digital markers that Ramsay may be tied to Darkhotel, the notorious APT syndicate that has executed a number of high profile cyber espionage campaigns in China and Japan. Ramsay’s intended targets may be under air-gapped networks, which could also explain the low visibility of intended victims, Sanmillan said.
Security experts were quick to weigh in on infecting air-gap networks. “It seems this spyware platform is really worried about being detected by traditional network security devices and, therefore, eliminates the use of typical command and control communication channels that are network based,” said Mounir Hahad, who heads Juniper Networks Threat Labs. "As much as infecting air-gap networks is difficult, exfiltrating data from them is even more difficult, which is why most malware that operates in air-gap networks are destroyers,” he said. "Unless that exfiltration method is identified, I think the jury is still out as to understanding the full picture of this malware.”