This threat report is about a malware framework used to gather and steal valuable intelligence on systems for espionage-related reasons. The framework, called Ramsay, is built to collect useful data on targets regardless of whether the system is air-gapped or not. The malware is built to affect hosts that run the Windows operating system.
Ramsay is designed to operate without any command & control mechanism with the collection of the raw data along with the storage of it occurring locally. The Ramsay malware has a variety of versions in the wild with three currently known. The first two versions of the malicious software exploit CVE-2017-0199 and CVE-2017-11882. The third version tries to trick users by pretending to be a 7-Zip installer.
The malware targets Word documents, PDF files, and ZIP archives on infected machines. It often looks for these file types on a variety of mediums including local storage, network drives, and removable media. The malware collects the desired file type and encrypts via RC4 encryption. The framework can also spread through network drives to infect other systems internally.
The Ramsay malware maintains persistence through a variety of means on infected targets. The malware can persist using the Appinit DLL registry key. It can create scheduled tasks at logon or on every reboot via the Scheduled Task COM API. It also engages in phantom DLL hijacking using older software dependencies by creating/invoking malicious DLL files. The two files used for phantom DLL hijacking are msfte.dll (Windows Search) and oci.dll (Microsoft Distributed Transaction Coordinator).
Here are ways Ramsay malware may impact your organization:
It is highly encouraged that you patch both CVE-2017-0199 and CVE-2017-11882 using the links found below. Consider performing file integrity monitoring in sensitive segments of the network to look for unusual file changes. Disable the use of removable media inside air-gapped networks with an exception made for approved administrators.
IBM X-Force Exchange Links:
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Deciding between running an in-house SOC vs. using managed security services to add more rigor, more relevance, and more responsiveness to your cybersecurity program? Compare the two options. Download the e-book!