News

ESET discovers malware toolkit targeting air-gapped networks

By admin
Spread the love

Security researchers at ESET have discovered a form of malware toolkit that appears to be designed to steal documents from air-gapped computers. The malware waits on a system until it can be exfiltrated from there.

ESET calls the malware Ramsay. The company discovered a sample of it on VirusTotal. The malware enters a system in several ways. For example, Ramsay exploits multiple vulnerabilities in Microsoft Word, including CVE-2017-0199 and CVE-2017-11882. A patch has been available for both vulnerabilities for years, but the malware assumes that it has not been implemented. In another case, the malware was distributed via an infected 7zip installation.

If the victim opens the infected document, no command and control server is contacted, which is what happens with most malware infections. There are also other indications that Ramsay is mainly targeting air-gapped networks. After installation, the malware looks for specific Word documents, PDF and Zip files. These are then placed in a hidden folder on the PC, where the files wait to be removed from the PC. It is not clear exactly how the latter should be done. Just as the malware has to be physically put on a PC in the first place, it also has to be physically removed. This is related to the characteristic of air-gapped networks; they are not connected to the internet, making them usually difficult to infect with malware.

The malware has different methods to spread through a network. Some components of the malware contain a scanner that looks for computers on a local network that are vulnerable to SMBv1 vulnerabilities, known as EternalBlue. There is also a ‘Spreader’ component in the malware. It searches for network drives and removable drives such as USB sticks and HDDs. Ramsay puts portable executables on such drives. That executable then searches for new documents on another computer to infect and thus further roll out the rest of the malware.

ESET says that the malware has several advanced methods to remain on a system. One is a technique known as “phantom dll hijacking”, where the malware is spread by old, disused DLLs in Windows.

The company says it can be difficult to attribution. The researchers found some similarities with a malware module called Retro, which is used by the Darkhotel hacker group. That group conducts spy campaigns in Asia.

ESET says it hasn’t encountered the malware much in the wild yet. According to the researchers, Ramsay is also still in development. For example, several forms of the toolkit were circulated, with newer versions also looking for other file formats, for example. The ESET researchers also found samples of test files such as test.docx in the code. According to the company, the first form of the malware was released in September 2019, and two newer versions were updated by the end of March.

You might also like
News

Blizzard will release certain games via Steam, starting with Overwatch 2

News

EU Council determines position on security requirements for digital products

News

Microsoft and Activision Blizzard postpone acquisition deadline until October

News

Microsoft announces Bing Chat Enterprise and Copilot pricing for businesses

News

Meta introduces open source language model Llama 2, works on PCs and phones

News

‘Microsoft wants to postpone deadline for Activision Blizzard…

Exit mobile version