tailored for airgapped networks Ignacio Sanmillan Malware Researcher Ignacio Sanmillan Malware Researcher ulexec Agenda Airgapping overview Ramsay framework Links to DarkHotel ID: 1022311
Download Presentation The PPT/PDF document "Ramsay: A cyber-espionage toolkit" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. Ramsay:A cyber-espionage toolkit tailored for air-gapped networksIgnacio Sanmillan | Malware Researcher
2. Ignacio SanmillanMalware Researcher @ulexec
3. AgendaAir-gapping overviewRamsay frameworkLinks to DarkHotelOperationConclusion
4. LANAIR-GAPPED NETWORKCLOSED NETWORK (HIGH SIDE)OPEN NETWORK (LOW SIDE)
5.
6. Air-gapped networks as high-value targets USBFerryreported by Trend MicroRamsayreported by ESET12 May 202013 May 2020Cycldekreported by Kaspersky 3 Jun 2020
7. Air-gapped networks as high-value targets OpportunitySecuring classified or critical informationTrade-offConstrained resourcesPoor feedback loopSelf-relianceAmbiguous modus operandi
8. Ramsay Framework
9. Ramsay | OverviewTailored for air-gapped networksFirst sample - March 2020 (uploaded from Japan to VirusTotal)Possibly still in development
10.
11. Ramsay | TimelineRamsay v1No rootkit, no SpreaderRamsay v2.aRootkit, Spreader24 Sept 20198 Mar 2020Ramsay v2.bRootkit, no Spreader27 Mar 2020
12. Ramsay (v2) | Agent Deployed as a DLLPhantom DLL HijackingPersistenceDistribute capabilities
13. Ramsay | Agent
14. Ramsay | Agent
15. Ramsay | AgentProcess nameServiceActionSearchIndexer.exeWSearchCreate detached instance of SearchUserHost.exeSearchUserHost.exeWSearchMain collectorDeploys remaining capabilitiesInjects agent into explorer.exeExplorer.exeRecently opened Word documents from Office collectorMsdtc.exeMSDTCEstablish persistence of Ramsay Installer*.*Deploys compressor and covert storage
16. Main CapabilitiesCollection and covert storageCommand executionSpreading
17. Collection and covert storageMS Word and text files from: System drive Removable media Network drivesStored to: %APPDATA%\Microsoft\UserSetting (v2) %APPDATA%\Microsoft\MediaCache (v1)
18. Collection and covert storage
19. Collection and covert storage
20. Collection and covert storageAuxiliary collection directory will be attempted to be compressed in intervals of 30 minutesExecuted via a dropped instance of WinRAR using a hardcoded password
21. Collection and covert storage
22. Collection and covert storage
23. Collection and covert storage
24. Collection and covert storage
25.
26. Command executionDecentralized file-based C&C communication protocolScanning of network shares and removable drivesSearching for Word documents, PDFs and ZIP archives
27. Command execution
28. Command executionSignatureCommandRr*e#R79m3QNU3SyFile ExecutionCNDkS_&pgaU#7Yg9DLL Load2DWcdSqcv3?(XYqTBatch Execution
29. Command executionControl-file document will be restored to remove Ramsay specific artifacts after command processingRestored file will be attempted to be reused as to append a Ramsay container
30. Spreading
31. SpreadingPrepender file infector leveragedThe same drives are scanned as for command execution EternalBlue scanner implemented (v2)
32. Spreading
33. Spreading
34. Spreading
35. Links to DarkHotel
36. Links to DarkHotelVarious overlaps were found between Ramsay and Retro backdoorRetro backdoor has been attributed to be part of DarkHotel's toolset (360TS)DarkHotel is allegedly a Korean-speaking APT active since at least 2007
37. Links to DarkHotelVarious overlaps were found between Ramsay and Retro backdoorOSTs and TTPs Artifact and code reuseContextual similarities via OPSEC fail
38. Links to DarkHotel OSTs and TTPs. Artifact and code reuse. Contextual similarities via OPSEC fail.
39. Overlaps | OSTs and TTPsTTP overlap of Phantom DLL Hijacking of malicious instances of msfte.dll, oci.dll Leveraging similar OSTs such as UACMe for privilege escalation and ImprovedReflectiveDLLInjection for deploying some of their components
40. Overlaps | Artifact and code reuse
41. Overlaps | Artifact and code reuse
42. Overlaps | Artifact and code reuse
43. Overlaps | OPSEC failShort story time:Initial Ramsay hit was Ramsay decoy 7zip installerScanned telemetryFound Ramsay v2.b dropped from a malicious documentVT Retrohunt for Ramsay Installer/Agent - UnsuccessfulVT Retrohunt for similar malicious documents
44. Overlaps | OPSEC fail
45. Overlaps | OPSEC fail
46. Overlaps | OPSEC fail
47. Overlaps | OPSEC fail
48. Overlaps | OPSEC failDocuments were uploaded from community accounts of the following sandbox providers:AnyRunFalconVMRay
49. Overlaps | OPSEC fail
50. Overlaps | OPSEC fail
51. Overlaps | OPSEC fail
52. Operation
53. OperationOperated from adjacent networks intermittently hopping over the air-gap.Restricted visibility of additional related components.Maybe leveraged on post-exploitation by an unknown component (Retro?). https://s.tencent.com/research/report/1000.htmlInitial intrusion vector unknown.
54. OperationRamsay's design hints its operated from adjacent networks intermittently hopping over the air-gapRestricted visibility of additional related componentsMaybe leveraged on post-exploitation by an unknown component (Retro?)https://s.tencent.com/research/report/1000.htmlInitial intrusion vector unknown
55. OPEN NETWORKAIR-GAPPED NETWORK Ramsay v2.aRamsay v2.bControl documentIntrusionMonitoringSpreadingRamsay agent
56. Conclusion
57. ConclusionRamsay has gone through various development stages.Probably still at developmental stage, although is likely being leveraged ITW.Restricted visibility of victims and additional related components.Possibly product of DarkHotel or related subgroup.
58. ConclusionRamsay has gone through various development stagesProbably still at developmental stage, although is likely being leveraged ITWRestricted visibility of victims and additional related componentsPossibly product of DarkHotel or related subgroup
59. Prevention suggestionsAir-gapping won't stop adversaries.Adjacent open networks must be monitored to mitigate attackers' foothold.Security measures must be applied on air-gapped networks (EDR).Secure protocols should be applied to validate device integrity connecting to/from isolated networks:Prevent malware operation through the insertion of removable media.
60. Prevention suggestionsAir-gapping won't stop adversariesAdjacent open networks must be monitored to mitigate attackers' footholdSecurity measures must be applied on air-gapped networks (EDR)Secure protocols should be applied to validate device integrity connecting to/from isolated networks:Prevent malware operation through the insertion of removable media
61. Q&A