1. Home
  2. Software
  3. Ramsay

Ramsay

Ramsay is an information stealing malware framework designed to collect and exfiltrate sensitive documents, including from air-gapped systems. Researchers have identified overlaps between Ramsay and the Darkhotel-associated Retro malware.[1][2]

ID: S0458
Type: MALWARE
Platforms: Windows
Contributors: Harry Kim, CODEMIZE
Version: 1.1
Created: 27 May 2020
Last Modified: 14 April 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1014 Rootkit

Ramsay has included a rootkit to evade defenses.[1]

Enterprise T1546 .010 事件触发执行: AppInit DLLs

Ramsay can insert itself into the address space of other applications using the AppInit DLL Registry key.[1]

Enterprise T1025 从可移动介质获取数据

Ramsay can collect data from removable media and stage it for exfiltration.[1]

Enterprise T1005 从本地系统获取数据

Ramsay can collect Microsoft Word documents from the target's file system, as well as .txt, .doc, and .xls files from the Internet Explorer cache.[1][2]

Enterprise T1039 从网络共享驱动器获取数据

Ramsay can collect data from network drives and stage it for exfiltration.[1]

Enterprise T1036 伪装

Ramsay has masqueraded as a JPG image file.[1]
.005 Match Legitimate Name or Location

Ramsay has masqueraded as a 7zip installer.[1][2]

Enterprise T1574 .001 劫持执行流: DLL Search Order Hijacking

Ramsay can hijack outdated Windows application dependencies with malicious versions of its own DLL payload.[1]

Enterprise T1140 反混淆/解码文件或信息

Ramsay can extract its agent from the body of a malicious document.[1]

Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Ramsay has created Registry Run keys to establish persistence.[2]
Enterprise T1059 .005 命令与脚本解释器: Visual Basic

Ramsay has included embedded Visual Basic scripts in malicious documents.[1][2]

Enterprise T1120 外围设备发现

Ramsay can scan for removable media which may contain documents for collection.[1][2]

Enterprise T1203 客户端执行漏洞利用

Ramsay has been embedded in documents exploiting CVE-2017-0199, CVE-2017-11882, and CVE-2017-8570.[1][2]
Enterprise T1113 屏幕捕获

Ramsay can take screenshots every 30 seconds as well as when an external removable storage device is connected.[2]
Enterprise T1071 .001 应用层协议: Web Protocols

Ramsay has used HTTP for C2.[2]
Enterprise T1560 .001 归档收集数据: Archive via Utility

Ramsay can compress and archive collected files using WinRAR.[1][2]
.003 归档收集数据: Archive via Custom Method

Ramsay can store collected documents in a custom container after encrypting and compressing them using RC4 and WinRAR.[1]
Enterprise T1074 .001 数据分段: Local Data Staging

Ramsay can stage data prior to exfiltration in %APPDATA%\Microsoft\UserSetting and %APPDATA%\Microsoft\UserSetting\MediaCache.[1][2]

Enterprise T1132 .001 数据编码: Standard Encoding

Ramsay has used base64 to encode its C2 traffic.[2]
Enterprise T1083 文件和目录发现

Ramsay can collect directory and file lists.[1][2]

Enterprise T1106 本机API

Ramsay can use Windows API functions such as WriteFile, CloseHandle, and GetCurrentHwProfile during its collection and file storage operations. Ramsay can execute its embedded components via CreateProcessA and ShellExecute.[1]
Enterprise T1080 污染共享内容

Ramsay can spread itself by infecting other portable executable files on networks shared drives.[1]

Enterprise T1027 混淆文件或信息

Ramsay has base64-encoded its portable executable and hidden itself under a JPG header. Ramsay can also embed information within document footers.[1]

.003 Steganography

Ramsay has PE data embedded within JPEG files contained within Word documents.[2]
Enterprise T1548 .002 滥用权限提升控制机制: Bypass User Account Control

Ramsay can use UACMe for privilege escalation.[1][2]

Enterprise T1204 .002 用户执行: Malicious File

Ramsay has been executed through malicious e-mail attachments.[2]
Enterprise T1082 系统信息发现

Ramsay can detect system information--including disk names, total space, and remaining space--to create a hardware profile GUID which acts as a system identifier for operators.[1][2]

Enterprise T1049 系统网络连接发现

Ramsay can use netstat to enumerate network connections.[2]
Enterprise T1016 系统网络配置发现

Ramsay can use ipconfig and Arp to collect network configuration information, including routing information and ARP tables.[2]
Enterprise T1135 网络共享发现

Ramsay can scan for network drives which may contain documents for collection.[1][2]

Enterprise T1046 网络服务发现

Ramsay can scan for systems that are vulnerable to the EternalBlue exploit.[1][2]

Enterprise T1119 自动化收集

Ramsay can conduct an initial scan for Microsoft Word documents on the local system, removable media, and connected network drives, before tagging and collecting them. It can continue tagging documents to collect with follow up scans.[1]

Enterprise T1057 进程发现

Ramsay can gather a list of running processes by using Tasklist.[2]
Enterprise T1055 .001 进程注入: Dynamic-link Library Injection

Ramsay can use ImprovedReflectiveDLLInjection to deploy components.[1]

Enterprise T1559 .001 进程间通信: Component Object Model

Ramsay can use the Windows COM API to schedule tasks and maintain persistence.[1]
.002 进程间通信: Dynamic Data Exchange

Ramsay has been delivered using OLE objects in malicious documents.[1]

Enterprise T1091 通过可移动媒体复制

Ramsay can spread itself by infecting other portable executable files on removable drives.[1]

Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Ramsay has been distributed through spearphishing emails with malicious attachments.[2]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Ramsay can schedule tasks via the Windows COM API to maintain persistence.[1]

References

  1. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  1. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.