S0458 Ramsay
Ramsay is an information stealing malware framework designed to collect and exfiltrate sensitive documents, including from air-gapped systems. Researchers have identified overlaps between Ramsay and the Darkhotel-associated Retro malware.12
| Item | Value |
|---|---|
| ID | S0458 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 27 May 2020 |
| Last Modified | 14 April 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | Ramsay can use UACMe for privilege escalation.12 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Ramsay has used HTTP for C2.2 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | Ramsay can compress and archive collected files using WinRAR.12 |
| enterprise | T1560.003 | Archive via Custom Method | Ramsay can store collected documents in a custom container after encrypting and compressing them using RC4 and WinRAR.1 |
| enterprise | T1119 | Automated Collection | Ramsay can conduct an initial scan for Microsoft Word documents on the local system, removable media, and connected network drives, before tagging and collecting them. It can continue tagging documents to collect with follow up scans.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Ramsay has created Registry Run keys to establish persistence.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.005 | Visual Basic | Ramsay has included embedded Visual Basic scripts in malicious documents.12 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Ramsay has used base64 to encode its C2 traffic.2 |
| enterprise | T1005 | Data from Local System | Ramsay can collect Microsoft Word documents from the target’s file system, as well as .txt, .doc, and .xls files from the Internet Explorer cache.12 |
| enterprise | T1039 | Data from Network Shared Drive | Ramsay can collect data from network drives and stage it for exfiltration.1 |
| enterprise | T1025 | Data from Removable Media | Ramsay can collect data from removable media and stage it for exfiltration.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Ramsay can stage data prior to exfiltration in %APPDATA%\Microsoft\UserSetting and %APPDATA%\Microsoft\UserSetting\MediaCache.12 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Ramsay can extract its agent from the body of a malicious document.1 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.010 | AppInit DLLs | Ramsay can insert itself into the address space of other applications using the AppInit DLL Registry key.1 |
| enterprise | T1203 | Exploitation for Client Execution | Ramsay has been embedded in documents exploiting CVE-2017-0199, CVE-2017-11882, and CVE-2017-8570.12 |
| enterprise | T1083 | File and Directory Discovery | Ramsay can collect directory and file lists.12 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL Search Order Hijacking | Ramsay can hijack outdated Windows application dependencies with malicious versions of its own DLL payload.1 |
| enterprise | T1559 | Inter-Process Communication | - |
| enterprise | T1559.001 | Component Object Model | Ramsay can use the Windows COM API to schedule tasks and maintain persistence.1 |
| enterprise | T1559.002 | Dynamic Data Exchange | Ramsay has been delivered using OLE objects in malicious documents.1 |
| enterprise | T1036 | Masquerading | Ramsay has masqueraded as a JPG image file.1 |
| enterprise | T1036.005 | Match Legitimate Name or Location | Ramsay has masqueraded as a 7zip installer.12 |
| enterprise | T1106 | Native API | Ramsay can use Windows API functions such as WriteFile, CloseHandle, and GetCurrentHwProfile during its collection and file storage operations. Ramsay can execute its embedded components via CreateProcessA and ShellExecute.1 |
| enterprise | T1046 | Network Service Discovery | Ramsay can scan for systems that are vulnerable to the EternalBlue exploit.12 |
| enterprise | T1135 | Network Share Discovery | Ramsay can scan for network drives which may contain documents for collection.12 |
| enterprise | T1027 | Obfuscated Files or Information | Ramsay has base64-encoded its portable executable and hidden itself under a JPG header. Ramsay can also embed information within document footers.1 |
| enterprise | T1027.003 | Steganography | Ramsay has PE data embedded within JPEG files contained within Word documents.2 |
| enterprise | T1120 | Peripheral Device Discovery | Ramsay can scan for removable media which may contain documents for collection.12 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Ramsay has been distributed through spearphishing emails with malicious attachments.2 |
| enterprise | T1057 | Process Discovery | Ramsay can gather a list of running processes by using Tasklist.2 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | Ramsay can use ImprovedReflectiveDLLInjection to deploy components.1 |
| enterprise | T1091 | Replication Through Removable Media | Ramsay can spread itself by infecting other portable executable files on removable drives.1 |
| enterprise | T1014 | Rootkit | Ramsay has included a rootkit to evade defenses.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Ramsay can schedule tasks via the Windows COM API to maintain persistence.1 |
| enterprise | T1113 | Screen Capture | Ramsay can take screenshots every 30 seconds as well as when an external removable storage device is connected.2 |
| enterprise | T1082 | System Information Discovery | Ramsay can detect system information–including disk names, total space, and remaining space–to create a hardware profile GUID which acts as a system identifier for operators.12 |
| enterprise | T1016 | System Network Configuration Discovery | Ramsay can use ipconfig and Arp to collect network configuration information, including routing information and ARP tables.2 |
| enterprise | T1049 | System Network Connections Discovery | Ramsay can use netstat to enumerate network connections.2 |
| enterprise | T1080 | Taint Shared Content | Ramsay can spread itself by infecting other portable executable files on networks shared drives.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | Ramsay has been executed through malicious e-mail attachments.2 |
References
-
Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel’s infiltration and isolation network. Retrieved March 24, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩