(ESET) ESET researchers have discovered a previously unreported cyber-espionage framework that we named Ramsay and that is tailored for collection and exfiltration of sensitive documents and is capable of operating within air-apped networks. Ramsay’s architecture provides a series of capabilities monitored via a logging mechanism intended to assist operators by supplying a feed of actionable intelligence to conduct exfiltration, control, and lateral movement actions, as well as providing overall behavioral and system statistics of each compromised system. The realization of these actions is possible due to the following capabilities: • File collection and covert storage • Command execution • Spreading
TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
IP:Port | Timestamp |
---|
Domain | Timestamp |
---|
URL | Timestamp |
---|
2022-05-16 by cocomelonc from cocomelonc
2021-12-01 by Alexis Dorais-Joncas from ESET Research
2020-09-22 by Ignacio Sanmillan from Youtube (Virus Bulletin)
2020-06-14 by BushidoToken from BushidoToken
2020-05-22 by Antiy CERT from Antiy CERT
2020-05-20 by Jim Walter from SentinelOne
2020-05-13 by Ignacio Sanmillan from ESET Research
Tool: Ramsay
Names: Ramsay
Description: (ESET) ESET researchers have discovered a previously unreported cyber-espionage framework that we named Ramsay and that is tailored for collection and exfiltration of sensitive documents and is capable of operating within air-apped networks. Ramsay’s architecture provides a series of capabilities monitored via a logging mechanism intended to assist operators by supplying a feed of actionable intelligence to conduct exfiltration, control, and lateral movement actions, as well as providing overall behavioral and system statistics of each compromised system. The realization of these actions is possible due to the following capabilities: • File collection and covert storage • Command execution • Spreading
Category: Malware
Type: Reconnaissance, Backdoor, Info stealer, Exfiltration, Worm
Information: https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/
Information: https://www.antiy.cn/research/notice&report/research_report/20200522.html
Information: https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html
Information: https://www.sentinelone.com/blog/why-on-device-detection-matters-new-ramsay-trojan-targets-air-gapped-networks/
Mitre-attack: https://attack.mitre.org/software/S0458/
Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.ramsay
Last-card-change: 2022-12-30
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1566.001 PHISHING : SPEARPHISHING ATTACHMENT ramsay has been distributed through spearphishing emails with malicious attachments. T1091 REPLICATION THROUGH REMOVABLE MEDIA ramsay can spread itself by infecting other portable executable files on removable drives. | T1059.005 COMMAND AND SCRIPTING INTERPRETER : VISUAL BASIC ramsay has included embedded visual basic scripts in malicious documents. T1203 EXPLOITATION FOR CLIENT EXECUTION ramsay has been embedded in documents exploiting cve-2017-0199, cve-2017-11882, and cve-2017-8570. T1559.001 INTER-PROCESS COMMUNICATION : COMPONENT OBJECT MODEL ramsay can use the windows com api to schedule tasks and maintain persistence. T1559.002 INTER-PROCESS COMMUNICATION : DYNAMIC DATA EXCHANGE ramsay has been delivered using ole objects in malicious documents. T1106 NATIVE API ramsay can use windows api functions such as writefile, closehandle, and getcurrenthwprofile during its collection and file storage operations. ramsay can execute its embedded components via createprocessa and shellexecute. T1053.005 SCHEDULED TASK/JOB : SCHEDULED TASK ramsay can schedule tasks via the windows com api to maintain persistence. T1204.002 USER EXECUTION : MALICIOUS FILE ramsay has been executed through malicious e-mail attachments. | T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER ramsay has created registry run keys to establish persistence. T1546.010 EVENT TRIGGERED EXECUTION : APPINIT DLLS ramsay can insert itself into the address space of other applications using the appinit dll registry key. T1574.001 HIJACK EXECUTION FLOW : DLL SEARCH ORDER HIJACKING ramsay can hijack outdated windows application dependencies with malicious versions of its own dll payload. T1053.005 SCHEDULED TASK/JOB : SCHEDULED TASK ramsay can schedule tasks via the windows com api to maintain persistence. | T1548.002 ABUSE ELEVATION CONTROL MECHANISM : BYPASS USER ACCOUNT CONTROL ramsay can use uacme for privilege escalation. T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER ramsay has created registry run keys to establish persistence. T1546.010 EVENT TRIGGERED EXECUTION : APPINIT DLLS ramsay can insert itself into the address space of other applications using the appinit dll registry key. T1574.001 HIJACK EXECUTION FLOW : DLL SEARCH ORDER HIJACKING ramsay can hijack outdated windows application dependencies with malicious versions of its own dll payload. T1055.001 PROCESS INJECTION : DYNAMIC-LINK LIBRARY INJECTION ramsay can use improvedreflectivedllinjection to deploy components. T1053.005 SCHEDULED TASK/JOB : SCHEDULED TASK ramsay can schedule tasks via the windows com api to maintain persistence. | T1548.002 ABUSE ELEVATION CONTROL MECHANISM : BYPASS USER ACCOUNT CONTROL ramsay can use uacme for privilege escalation. T1140 DEOBFUSCATE/DECODE FILES OR INFORMATION ramsay can extract its agent from the body of a malicious document. T1574.001 HIJACK EXECUTION FLOW : DLL SEARCH ORDER HIJACKING ramsay can hijack outdated windows application dependencies with malicious versions of its own dll payload. T1036.005 MASQUERADING : MATCH LEGITIMATE NAME OR LOCATION ramsay has masqueraded as a 7zip installer. T1027 OBFUSCATED FILES OR INFORMATION ramsay has base64-encoded its portable executable and hidden itself under a jpg header. ramsay can also embed information within document footers. T1027.003 OBFUSCATED FILES OR INFORMATION : STEGANOGRAPHY ramsay has pe data embedded within jpeg files contained within word documents. T1055.001 PROCESS INJECTION : DYNAMIC-LINK LIBRARY INJECTION ramsay can use improvedreflectivedllinjection to deploy components. | T1046 NETWORK SERVICE DISCOVERY ramsay can scan for systems that are vulnerable to the eternalblue exploit. T1135 NETWORK SHARE DISCOVERY ramsay can scan for network drives which may contain documents for collection. T1120 PERIPHERAL DEVICE DISCOVERY ramsay can scan for removable media which may contain documents for collection. T1082 SYSTEM INFORMATION DISCOVERY ramsay can detect system information--including disk names, total space, and remaining space--to create a hardware profile guid which acts as a system identifier for operators. T1016 SYSTEM NETWORK CONFIGURATION DISCOVERY ramsay can use ipconfig and arp to collect network configuration information, including routing information and arp tables. | T1091 REPLICATION THROUGH REMOVABLE MEDIA ramsay can spread itself by infecting other portable executable files on removable drives. T1080 TAINT SHARED CONTENT ramsay can spread itself by infecting other portable executable files on networks shared drives. | T1560.001 ARCHIVE COLLECTED DATA : ARCHIVE VIA UTILITY ramsay can compress and archive collected files using winrar. T1560.003 ARCHIVE COLLECTED DATA : ARCHIVE VIA CUSTOM METHOD ramsay can store collected documents in a custom container after encrypting and compressing them using rc4 and winrar. T1119 AUTOMATED COLLECTION ramsay can conduct an initial scan for microsoft word documents on the local system, removable media, and connected network drives, before tagging and collecting them. it can continue tagging documents to collect with follow up scans. T1005 DATA FROM LOCAL SYSTEM ramsay can collect microsoft word documents from the target's file system, as well as .txt, .doc, and .xls files from the internet explorer cache. T1039 DATA FROM NETWORK SHARED DRIVE ramsay can collect data from network drives and stage it for exfiltration. T1025 DATA FROM REMOVABLE MEDIA ramsay can collect data from removable media and stage it for exfiltration. T1074.001 DATA STAGED : LOCAL DATA STAGING ramsay can stage data prior to exfiltration in %appdata%\microsoft\usersetting and %appdata%\microsoft\usersetting\mediacache. T1113 SCREEN CAPTURE ramsay can take screenshots every 30 seconds as well as when an external removable storage device is connected. |