Ramsay Trojan designed to target air-gapped systems

Ramsay is a highly sophisticated information-stealing trojan and associated espionage framework capable of operating on air-gapped systems. First observed in September 2019, it is believed to have been created by or for the Darkhotel advanced persistent threat group.

An air-gapped computer is isolated from unsecured networks, meaning that it is not directly connected to the internet, nor is it connected to any other system that is connected to the internet. 

Since first being observed, Ramsay has gone through two major iterations, with both introducing new delivery mechanisms. Ramsay v1 is distributed via malicious documents containing an initial VBS script, a CVE-2917-0199 exploit, and a PE file disguised as a JPEG image. Versions 2.a and 2.b both exploit CVE-2017-11882, with 2.a being delivered disguised as legitimate file utilities, whilst 2.b is again delivered by malicious documents.

Once installed, Ramsay will edit several registry keys, create multiple scheduled tasks, and inject itself into a running process in an attempt to maintain persistence. Later variants will also use MSDTC and phantom DLL hijacking techniques. If successful, Ramsay scans all connected drives and removable media for target files, which are then stored in a preliminary collection directory. When complete, Ramsay encrypts this directory with the RC4 algorithm before compressing it using an embedded WinRAR instance. Ramsay then adds a magic value to the archive before adding this value to each Word document on the system. Whilst it is currently unclear how these archives are exfiltrated, it is believed that a secondary unidentified component scans the affected file system for these magic values in order to identify the archives to extract.

Additionally, Ramsay 2.a and 2.b are able to propagate across networks, although this functionality appears to be disabled in version 2.b. Certain Ramsay variants also implement a network scanner able to identify EternalBlue vulnerable systems, with any scan results included in the collection directory.

Further information – https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/

Indicators of Compromise (IoCs) – SHA1

Win32/TrojanDropper.Agent.SHN (Initial Installer)

Win32/Ramsay.A (Installer Launcher)

Win32/HackTool.UACMe.T (UAC Bypass Module)

Win32/HackTool.UACMe.T (UAC Bypass Module)

Win32/TrojanDropper.Agent.SHM (Spreader)

Win32/TrojanDropper.Agent.SHN (Malware Installer)

Win32/HideProc.M (HideDriver Rootkit)

Win32/HideProc.M (HideDriver Rootkit)

Win64/HackTool.Inject.A (Darkhotel Retro Backdoor Loader)

Win32/Ramsay.B (Ramsay Initial Installer (version 2.b)

Win32/Exploit.CVE-2017-11882.H RTF file that drops Ramsay Initial Installer

Win32/Ramsay.C (Ramsay Agent DLL (32bits)

Win32/Ramsay.C (Ramsay Agent EXE (32bits)

Win32/Ramsay.C (Ramsay Agent DLL (32bits)

Win32/Ramsay.C (Ramsay Agent DLL (32bits)

Win64/Ramsay.C (Ramsay Agent DLL (64bits)

Win64/Ramsay.C (Ramsay Agent DLL (64bits)

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: