Even though threat analysts found tens and hundreds of malware instances targeting networks and systems, spotting malware aiming at the air-gapped network is really tough. Because most of the malware authors target systems and networks connected to the internet.

However, threat researchers at cybersecurity solution provider ESET have found a new instance of such malware targeting an air-gapped network. The malware toolkit called Ramsay is capable of skipping the strict security layers and invading an air-gapped system.

Ramsay malware anatomy

wannacry hero marcus hutchins arrested
Representative Image: A cyber security researcher from the UK is allegedly behind the Kronos malware. Reuters

The ESET experts have claimed that the main agenda behind designing Ramsay is to steal sensitive corporate and government data by collecting them in a secret container and wait patiently for an exfiltration opportunity.

The ESET researchers have explained that the specially crafted malware is very much capable to travel the distance between and reaches the isolated and sensitive network to do the damage. The sample of the malware was uploaded to the VirusTotal database by someone anonymous from Japan. The researchers have found the malware framework is still going through its infancy and the malware authors are supposed to improvise and strengthen the attack vector with its final version.

What is Air gap network?

If you're unaware, Air gap networks are a sensitive network of computers that exist in most of the public and private enterprises. The minuscule network usually kept under strict surveillance and remains detached from the internet and the regular system network.

How does Ramsay malware work?

According to the ESET research analysis, the Ramsay malware comes in the form of an RTF (Rich Text Format) file as an email attachment. Once the victim downloads the attached document and opens it, the hidden code inside the file intends to exploit two Windows vulnerabilities. Out of which one is related to the Microsoft Office's Equation editor (CVE-2017-1188), while the CVE-2017-0199 exploits another MS Office vulnerability to infiltrate into the target system.

Once the Ramsay malware installs itself, it executes a module dubbed Collector to search through all the storage devices attached to the computer and retrieves Word, PDF, and ZIP documents to hidden storage. Later the spreader module of the malware kick in with an intrusion to append its instances with every PE (Portable Executable) files exists in removable drives and network shares. The Ramsay later waits patiently for the attacker's instruction to fire the data exfiltration module.
The researcher was, however, unable to locate the exfiltration module until now, meaning the exfiltration operation detail is not yet known. The blog author has claimed that Ramsay retains a bunch of shared artifacts from Retro malware. The Retro malware has been developed by the APT group Dark Hotel.