Researchers from cybersecurity company ESET have uncovered evidence of a new cyber espionage toolkit designed to steal data from air-gapped networks separated from the internet.
The new toolkit, dubbed Ramsay, is designed to collect all existing Microsoft Word documents within a target’s file system and prepare them from exfiltration, and it grants attackers the ability to remotely execute commands.
The toolkit includes a component that allows it to operate within air-gapped networks.
The Ramsay toolkit has gone through several iterations. This, coupled with the low number of victims, has led ESET to believe the framework is under an ongoing development process.
The developers in charge of infection vectors appear to be trying different approaches ranging from using old Microsoft Word vulnerabilities from 2017 to deploying trojanised applications for delivery by methods such as spear phishing.
ESET Research Leader Alexis Dorais-Joncas said the latest release of the malware employs advanced techniques related to evasion and persistence.
“We initially found an instance of Ramsay in a VirusTotal sample uploaded from Japan that led us to the discovery of further components and other versions of the framework along with substantial evidence to conclude that the framework is still in a developmental stage, with delivery vectors subject to fine testing,” he said.
“Especially noteworthy is how the architectural design of Ramsay, especially the relationship between its spreading and control capabilities, allows it to operate in air-gapped networks — meaning networks that are not connected to the internet.”
Tenable Vice President of Operational Technology Security Marty Edwards said the findings should serve as a wake-up call for enterprises working under the false belief that air-gapped systems are inherently secure.
“There’s a misconception that air-gapped systems are ‘bullet-proof’ given that they are isolated from online networks. In reality, systems that are disconnected from networks or air-gapped still have a large number of access vectors,” he said.
“Organisations need to consider access points such as removable media (sneakernet) or something more sophisticated like radiofrequency signals (Tempest) within the operational technology environment to worry about.”