Security researchers from ESET recently discovered a new cyber espionage campaign codenamed “Ramsay” which is designed to steal sensitive documents from air‑gapped networks. Ramsay can infect air-gapped computers, collect Word, PDF, and ZIP files in a hidden folder, and then exfiltrate them, researchers said. An air-gap is a security measure to ensure computer networks are physically isolated from the rest of the company’s networks and from potentially unsecured networks like public internet.
“We initially found an instance of Ramsay in VirusTotal. That sample was uploaded from Japan and led us to the discovery of further components and versions of the framework, along with substantial evidence to conclude that this framework is at a developmental stage, with its delivery vectors still undergoing fine-tuning,” the researchers said in an official post.
Researchers stated that they found three different samples of the Ramsay malware, one discovered in September 2019 (Ramsay v1), and other two in early and late March 2020 (Ramsay v2.a and v2.b).
“Unlike most conventional malware, Ramsay does not have a network-based C&C communication protocol nor does it make any attempt to connect to a remote host for communication purposes. Ramsay’s control protocol follows the same decentralized philosophy implemented for collected artifact storage. Ramsay will scan all the network shares and removable drives for potential control files,” researchers said.
Researchers suggest each version of Ramsay malware was different and infected victims through different methods, but the primary role was to scan an infected computer, gather Word, PDF, and ZIP documents in a hidden storage folder, and exfiltrate later.
Ramsay malware shares several similarities with Retro, a backdoor malware associated with DarkHotel, a notorious APT group known to have conducted cyber-espionage operations since at 2004 and have targeted government entities in China and Japan.
In a similar security discovery, researchers from Check Point discovered a new Chinese hacker group “Naikon APT” which is behind an ongoing cyber espionage campaign targeting government entities in the Asia-Pacific (APAC) region. The group was reportedly being hunted for five years by spying organizations in the Philippines, Australia, Thailand, Indonesia, Vietnam, Myanmar, and Brunei. The researchers stated that the Naikon APT group has been active since 2015, carrying out a series of cyberattacks on government units, including ministries of foreign affairs, science and technology ministries, as well as government-owned companies using a backdoor called “Aria-body”.