Researchers expose new malware designed to steal data from air-gapped networks
Hacking tools and techniques that are capable of accessing “air-gapped” systems — those cut off from external network connections — are coveted by intelligence agencies and pored over by security researchers. Spies try to conceal them; researchers try to expose them to warn potential victims.
That dynamic is behind Slovakian anti-virus company ESET’s decision Wednesday to go public with what it says is a previously unknown malicious software framework designed to steal files from air-gapped systems. Much around the hacking tool — who is using it, who some of its victims are — remains a mystery. But ESET is hoping publicizing it will shake loose more clues in their hunt for the hackers.
“We believe Ramsay is intended to be used in targeted attacks only and [has] espionage written all over it,” Alexis Dorais-Joncas, a security intelligence team lead at ESET, told CyberScoop. “‘Normal’ people do not operate in air-gapped environments.”
The hacking tool, dubbed Ramsay, exploits old vulnerabilities in Microsoft Office. The ultimate goal, ESET says, is to use a local file system on the target machine to smuggle data out of an air-gapped network.
A component of the malware “uses the local files system to stage the stolen documents in a very specific and covert way, making it ready for an eventual exfiltration,” Dorais-Joncas said. The malware also looks for specific files on any network-shared or removable drive “that is connected to the Ramsay-infected system,” he said.
Since the end of last year, the hackers have been honing the Ramsay malware, making it more difficult to detect on systems.
Dorais-Joncas said his team has confirmed one victim of the malware and assumes another based on code that was uploaded to the VirusTotal malware repository from Japan. But they suspect the victim count to be higher.
While the hackers’ identity may be an enigma, they did leave behind fingerprints that researchers are still investigating. Some of the malicious documents had Korean-language metadata in them. Ramsay also uses several “tokens,” or digital markers, that were previously seen in a hacking tool associated with DarkHotel, an elite, South Korea-linked hacking group that has targeted organizations across East Asia.
But those tenuous similarities are not nearly enough evidence to conclude that DarkHotel might be involved in Ramsay’s development, Dorais-Joncas cautioned.
Understanding hacking tools and techniques that target air-gapped systems can require collaboration between multiple cybersecurity companies, as was the case with the Stuxnet worm a decade ago. ESET’s researchers are still searching for the component that the Ramsay malware uses to exfiltrate data. Publishing their findings, they hope, will turn up some leads.
“We decided to release our findings now because the overall benefit for the security community and potential targets [or] victims outweighs the benefits of keeping the information private and continuing the investigation on our own,” Dorais-Joncas said.