Ramsay

Ramsay
(Type: Reconnaissance, Backdoor, Info stealer, Exfiltration, Worm)

(ESET) ESET researchers have discovered a previously unreported cyber-espionage framework that we named Ramsay and that is tailored for collection and exfiltration of sensitive documents and is capable of operating within air-apped networks. Ramsay’s architecture provides a series of capabilities monitored via a logging mechanism intended to assist operators by supplying a feed of actionable intelligence to conduct exfiltration, control, and lateral movement actions, as well as providing overall behavioral and system statistics of each compromised system. The realization of these actions is possible due to the following capabilities: • File collection and covert storage • Command execution • Spreading

[News Analysis] Trends:

Total Trend: 7

Trend Per Year
5
2020
1
2021
1
2022


Trend Per Month
3
May 2020
1
Jun 2020
1
Sep 2020
1
Dec 2021
1
May 2022



[News Analysis] News Mention Another Threat Name:

1 - CherryPicker POS14 - Ramsay9 - Agent.BTZ9 - Fanny9 - Flame9 - Gauss9 - PlugX12 - Retro9 - Stuxnet9 - USBCulprit9 - USBferry4 - Asruex4 - Ghost RAT4 - Unidentified 076 (Higaisa LNK to Shellcode)1 - DarkHotel


[TTP Analysis] Technique Performance:

reconnaissance
0/43
resource development
0/45
initial access
2/19
execution
7/36
persistence
4/113
privilege escalation
6/96
defense evasion
9/184
credential access
0/63
discovery
8/44
lateral movement
2/22
collection
8/37
command and control
2/39
exfiltration
0/18
impact
0/26


[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1566.001
Phishing : Spearphishing Attachment
T1091
Replication Through Removable Media
T1059.005
Command And Scripting Interpreter : Visual Basic
T1203
Exploitation For Client Execution
T1559.001
Inter-process Communication : Component Object Model
T1559.002
Inter-process Communication : Dynamic Data Exchange
T1106
Native Api
T1053.005
Scheduled Task/job : Scheduled Task
T1204.002
User Execution : Malicious File
T1547.001
Boot Or Logon Autostart Execution : Registry Run Keys / Startup Folder
T1546.010
Event Triggered Execution : Appinit Dlls
T1574.001
Hijack Execution Flow : Dll Search Order Hijacking
T1053.005
Scheduled Task/job : Scheduled Task
T1548.002
Abuse Elevation Control Mechanism : Bypass User Account Control
T1547.001
Boot Or Logon Autostart Execution : Registry Run Keys / Startup Folder
T1546.010
Event Triggered Execution : Appinit Dlls
T1574.001
Hijack Execution Flow : Dll Search Order Hijacking
T1055.001
Process Injection : Dynamic-link Library Injection
T1053.005
Scheduled Task/job : Scheduled Task
T1548.002
Abuse Elevation Control Mechanism : Bypass User Account Control
T1140
Deobfuscate/decode Files Or Information
T1574.001
Hijack Execution Flow : Dll Search Order Hijacking
T1036
Masquerading
T1036.005
Masquerading : Match Legitimate Name Or Location
T1027
Obfuscated Files Or Information
T1027.003
Obfuscated Files Or Information : Steganography
T1055.001
Process Injection : Dynamic-link Library Injection
T1014
Rootkit
T1083
File And Directory Discovery
T1046
Network Service Discovery
T1135
Network Share Discovery
T1120
Peripheral Device Discovery
T1057
Process Discovery
T1082
System Information Discovery
T1016
System Network Configuration Discovery
T1049
System Network Connections Discovery
T1091
Replication Through Removable Media
T1080
Taint Shared Content
T1560.001
Archive Collected Data : Archive Via Utility
T1560.003
Archive Collected Data : Archive Via Custom Method
T1119
Automated Collection
T1005
Data From Local System
T1039
Data From Network Shared Drive
T1025
Data From Removable Media
T1074.001
Data Staged : Local Data Staging
T1113
Screen Capture
T1071.001
Application Layer Protocol : Web Protocols
T1132.001
Data Encoding : Standard Encoding


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Article (Credit @Malpedia)

Malware development: persistence - part 6. Windows netsh helper DLL. Simple C++ example.

2022-05-16 by cocomelonc from cocomelonc

Jumping the air gap: 15 years of nation‑state effort

2021-12-01 by Alexis Dorais-Joncas from ESET Research

Ramsay: A cyber-espionage toolkit tailored for air-gapped networks

2020-09-22 by Ignacio Sanmillan from Youtube (Virus Bulletin)

Deep-dive: The DarkHotel APT

2020-06-14 by BushidoToken from BushidoToken

Analysis of Ramsay components of Darkhotel's infiltration and isolation network

2020-05-22 by Antiy CERT from Antiy CERT

Why On-Device Detection Matters: New Ramsay Trojan Targets Air-Gapped Networks

2020-05-20 by Jim Walter from SentinelOne

Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks

2020-05-13 by Ignacio Sanmillan from ESET Research

Basic Information (Credit @etda.or.th)

Tool: Ramsay

Names: Ramsay

Description: (ESET) ESET researchers have discovered a previously unreported cyber-espionage framework that we named Ramsay and that is tailored for collection and exfiltration of sensitive documents and is capable of operating within air-apped networks. Ramsay’s architecture provides a series of capabilities monitored via a logging mechanism intended to assist operators by supplying a feed of actionable intelligence to conduct exfiltration, control, and lateral movement actions, as well as providing overall behavioral and system statistics of each compromised system. The realization of these actions is possible due to the following capabilities: • File collection and covert storage • Command execution • Spreading

Category: Malware

Type: Reconnaissance, Backdoor, Info stealer, Exfiltration, Worm

Information: https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/

Information: https://www.antiy.cn/research/notice&report/research_report/20200522.html

Information: https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html

Information: https://www.sentinelone.com/blog/why-on-device-detection-matters-new-ramsay-trojan-targets-air-gapped-networks/

Mitre-attack: https://attack.mitre.org/software/S0458/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.ramsay

Last-card-change: 2022-12-30

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1566.001
PHISHING : SPEARPHISHING ATTACHMENT
ramsay has been distributed through spearphishing emails with malicious attachments.
T1091
REPLICATION THROUGH REMOVABLE MEDIA
ramsay can spread itself by infecting other portable executable files on removable drives.
T1059.005
COMMAND AND SCRIPTING INTERPRETER : VISUAL BASIC
ramsay has included embedded visual basic scripts in malicious documents.
T1203
EXPLOITATION FOR CLIENT EXECUTION
ramsay has been embedded in documents exploiting cve-2017-0199, cve-2017-11882, and cve-2017-8570.
T1559.001
INTER-PROCESS COMMUNICATION : COMPONENT OBJECT MODEL
ramsay can use the windows com api to schedule tasks and maintain persistence.
T1559.002
INTER-PROCESS COMMUNICATION : DYNAMIC DATA EXCHANGE
ramsay has been delivered using ole objects in malicious documents.
T1106
NATIVE API
ramsay can use windows api functions such as writefile, closehandle, and getcurrenthwprofile during its collection and file storage operations. ramsay can execute its embedded components via createprocessa and shellexecute.
T1053.005
SCHEDULED TASK/JOB : SCHEDULED TASK
ramsay can schedule tasks via the windows com api to maintain persistence.
T1204.002
USER EXECUTION : MALICIOUS FILE
ramsay has been executed through malicious e-mail attachments.
T1547.001
BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER
ramsay has created registry run keys to establish persistence.
T1546.010
EVENT TRIGGERED EXECUTION : APPINIT DLLS
ramsay can insert itself into the address space of other applications using the appinit dll registry key.
T1574.001
HIJACK EXECUTION FLOW : DLL SEARCH ORDER HIJACKING
ramsay can hijack outdated windows application dependencies with malicious versions of its own dll payload.
T1053.005
SCHEDULED TASK/JOB : SCHEDULED TASK
ramsay can schedule tasks via the windows com api to maintain persistence.
T1548.002
ABUSE ELEVATION CONTROL MECHANISM : BYPASS USER ACCOUNT CONTROL
ramsay can use uacme for privilege escalation.
T1547.001
BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER
ramsay has created registry run keys to establish persistence.
T1546.010
EVENT TRIGGERED EXECUTION : APPINIT DLLS
ramsay can insert itself into the address space of other applications using the appinit dll registry key.
T1574.001
HIJACK EXECUTION FLOW : DLL SEARCH ORDER HIJACKING
ramsay can hijack outdated windows application dependencies with malicious versions of its own dll payload.
T1055.001
PROCESS INJECTION : DYNAMIC-LINK LIBRARY INJECTION
ramsay can use improvedreflectivedllinjection to deploy components.
T1053.005
SCHEDULED TASK/JOB : SCHEDULED TASK
ramsay can schedule tasks via the windows com api to maintain persistence.
T1548.002
ABUSE ELEVATION CONTROL MECHANISM : BYPASS USER ACCOUNT CONTROL
ramsay can use uacme for privilege escalation.
T1140
DEOBFUSCATE/DECODE FILES OR INFORMATION
ramsay can extract its agent from the body of a malicious document.
T1574.001
HIJACK EXECUTION FLOW : DLL SEARCH ORDER HIJACKING
ramsay can hijack outdated windows application dependencies with malicious versions of its own dll payload.
T1036
MASQUERADING
ramsay has masqueraded as a jpg image file.
T1036.005
MASQUERADING : MATCH LEGITIMATE NAME OR LOCATION
ramsay has masqueraded as a 7zip installer.
T1027
OBFUSCATED FILES OR INFORMATION
ramsay has base64-encoded its portable executable and hidden itself under a jpg header. ramsay can also embed information within document footers.
T1027.003
OBFUSCATED FILES OR INFORMATION : STEGANOGRAPHY
ramsay has pe data embedded within jpeg files contained within word documents.
T1055.001
PROCESS INJECTION : DYNAMIC-LINK LIBRARY INJECTION
ramsay can use improvedreflectivedllinjection to deploy components.
T1014
ROOTKIT
ramsay has included a rootkit to evade defenses.
T1083
FILE AND DIRECTORY DISCOVERY
ramsay can collect directory and file lists.
T1046
NETWORK SERVICE DISCOVERY
ramsay can scan for systems that are vulnerable to the eternalblue exploit.
T1135
NETWORK SHARE DISCOVERY
ramsay can scan for network drives which may contain documents for collection.
T1120
PERIPHERAL DEVICE DISCOVERY
ramsay can scan for removable media which may contain documents for collection.
T1057
PROCESS DISCOVERY
ramsay can gather a list of running processes by using tasklist.
T1082
SYSTEM INFORMATION DISCOVERY
ramsay can detect system information--including disk names, total space, and remaining space--to create a hardware profile guid which acts as a system identifier for operators.
T1016
SYSTEM NETWORK CONFIGURATION DISCOVERY
ramsay can use ipconfig and arp to collect network configuration information, including routing information and arp tables.
T1049
SYSTEM NETWORK CONNECTIONS DISCOVERY
ramsay can use netstat to enumerate network connections.
T1091
REPLICATION THROUGH REMOVABLE MEDIA
ramsay can spread itself by infecting other portable executable files on removable drives.
T1080
TAINT SHARED CONTENT
ramsay can spread itself by infecting other portable executable files on networks shared drives.
T1560.001
ARCHIVE COLLECTED DATA : ARCHIVE VIA UTILITY
ramsay can compress and archive collected files using winrar.
T1560.003
ARCHIVE COLLECTED DATA : ARCHIVE VIA CUSTOM METHOD
ramsay can store collected documents in a custom container after encrypting and compressing them using rc4 and winrar.
T1119
AUTOMATED COLLECTION
ramsay can conduct an initial scan for microsoft word documents on the local system, removable media, and connected network drives, before tagging and collecting them. it can continue tagging documents to collect with follow up scans.
T1005
DATA FROM LOCAL SYSTEM
ramsay can collect microsoft word documents from the target's file system, as well as .txt, .doc, and .xls files from the internet explorer cache.
T1039
DATA FROM NETWORK SHARED DRIVE
ramsay can collect data from network drives and stage it for exfiltration.
T1025
DATA FROM REMOVABLE MEDIA
ramsay can collect data from removable media and stage it for exfiltration.
T1074.001
DATA STAGED : LOCAL DATA STAGING
ramsay can stage data prior to exfiltration in %appdata%\microsoft\usersetting and %appdata%\microsoft\usersetting\mediacache.
T1113
SCREEN CAPTURE
ramsay can take screenshots every 30 seconds as well as when an external removable storage device is connected.
T1071.001
APPLICATION LAYER PROTOCOL : WEB PROTOCOLS
ramsay has used http for c2.
T1132.001
DATA ENCODING : STANDARD ENCODING
ramsay has used base64 to encode its c2 traffic.