Ramsay Cyber-Espionage Framework Rumbled by Researchers

A new cyber-espionage framework has been unearthed by researchers at cybersecurity company ESET. 

Dubbed "Ramsay," the framework appears to be tailored for collecting and exfiltrating sensitive documents from air-gapped systems that are not connected to the internet or other online systems.

ESET believes that this framework is under an ongoing development process, because their research to date has revealed only a small number of victims. Malicious documents uncovered in their research of the framework and uploaded to public sandbox engines with titles such as "access_test.docx" or "Test.docx" seem to support this theory.

Researchers came across the previously unreported cyber-espionage framework while studying a suspicious data sample. Korean-language metadata were discovered within the malicious documents leveraged by Ramsay, denoting the use of Korean-based templates.

Alexis Dorais-Joncas, head of ESET’s Montreal-based research team, said: “We initially found an instance of Ramsay in a VirusTotal sample uploaded from Japan that led us to the discovery of further components and other versions of the framework along with substantial evidence to conclude that the framework is still in a developmental stage, with delivery vectors subject to fine testing."

Although a relatively fresh arrival on the digital spy scene, Ramsay has already undergone several re-jigs. Researchers noted that the various discovered versions of Ramsay differ in complexity and sophistication, with the latest third version being the most advanced, especially with regard to evasion and persistence.

"Developers in charge of attack vectors seem to be trying various approaches such as old exploits for Word vulnerabilities from 2017 as ..

Support the originator by clicking the read the rest link below.