Ramsay malware: What it is, how it works and how to prevent it | Malware spotlight

Introduction

The unique functionality of things normally makes them as much of a point of interest as an oddity. Malware is no exception to this notion and a malware framework known as Ramsay provides a great example of it. 

Unlike nearly every other malware, Ramsay has the ability to jump air gaps in an organization’s network to infect computers. 

This article will detail what Ramsay is, how it works and how you can defend against it. This advanced functionality makes Ramsay particularly important for malware researchers to study and may provide knowledge useful in preventing malware with this functionality in the future.

What is Ramsay?

In September of 2019, researchers at ESET discovered a malware framework dubbed Ramsay. This malware was designed to jump air gaps in an organization’s network to infect computers that would otherwise be isolated from malware (unless a user installs an infected device such as a USB drive). 

Air gaps are generally considered to be one of the most effective and strict information security measures and are used extensively in both manufacturing and critical infrastructure. Attackers know this, which is why getting into an air-gapped network has been called the “Holy Grail” of security breaches.

Researchers have observed three different versions of Ramsay. Version 1 was distributed via malicious Office document attachments to emails which exploited CVE-2017-0199, a Microsoft Word remote execution flaw, to facilitate the malware installation. This exploit allows attackers to launch malicious code when an RTF document is launched. VirusTotal has discovered several different versions of these documents with indications that may have been used to test how well Ramsay performed vis-à-vis vendors’ static engines. 

Newer Ramsay versions, v2.a and v2.b, were observed being distributed as malicious installers masquerading as popular applications, including 7zip. These versions allowed (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/froCJ1M-Qho/