Though they are not always practical, air-gapped networks are the ultimate cybersecurity measure. Or at least they have always been seen that way by the high-security industries that rely on them: power plants, aviation systems, high finance and military applications, to name a few. Air-gapped networks are regarded as being virtually immune to malware, but a newly-discovered toolkit is threatening to upend that paradigm.
Theoretical attacks on air-gapped networks have dribbled out over the past decade, but nearly all rely on fairly complex systems of radio waves or cellular phone signals that would require extended physical access to the target network. A new attack type in development focuses on hiding in the sort of document and archive files that would be manually walked to air-gapped networks and transferred via USB drive or physical media. What is unique about this malware toolkit is that it appears to specifically target air-gapped networks, laying low and inactive in infected files until it is connected to the intended target.
A new threat to air-gapped networks
It’s important to note that this new malware is still in the developmental stages, but three different versions that each show increasing sophistication have been found in the wild by security researchers.
Dubbed “Ramsay” for a name that appears repeatedly in the code, the new malware was discovered by researchers at the ESET cybersecurity firm of Slovakia. It was first spotted in the VirusTotal online anti-malware aggregator, apparently sourced from somewhere in Japan. The researchers then found two additional versions by combing TotalVirus, with each version adding a feature that the previous version did not have.
Though the malware is being directed at targets by a threat actor, ESET believes that it is still under development and that there have been few victims as of yet.
The Ramsay malware attempts to smuggle itself onto targeted air-gapped networks by hiding in a variety of file types: malicious documents and fake program installers. The ESET researchers believe that the threat actors may be testing a variety of file types to see which works best. The document files exploit a known vulnerability in some versions of Microsoft Office that allows malicious code to be executed, with a fake embedded JPEG file that is actually a Visual Basic script.
Based on similarities to the Retro backdoor exploit and the use of Korean language in some files, ESET is tentatively attributing this attack to advanced persistent threat (APT) group DarkHotel. DarkHotel is one of the older continuously operating APT groups, first spotted in 2004 and earning the moniker by targeting VIPs in Asia Pacific hotels through the property’s WiFi network. DarkHotel is thought to be based in either North or South Korea, but cybersecurity experts are still divided on which government they are working for.
What the Ramsay malware does
The purpose of the malware is espionage. Once active, it gathers up all of the available Microsoft Word documents, PDF files and ZIP archives on the target system and takes screenshots of desktops. It also spreads throughout the target network, actively searching for shared network files and removable drives.
The malware is also persistent after reboots, and flies below the radar by targeting specific DLL files expected to be in the target’s file systems. To avoid raising alarms, it also waits to begin exfiltrating files until it has reached the air gapped computers and embedded itself. The data that it acquires is compressed and hidden until it is ready for exfiltration.
The researchers are still not sure exactly how it exfiltrates the data; this portion of the process may still be undergoing testing. Mounir Hahad, Head of Juniper Threat Labs at Juniper Networks, notes that the malware is likely designed to lay low until it works its way back to an internet-connected system: “It seems this spyware platform is really worried about being detected by traditional network security devices and, therefore, eliminates the use of typical command and control communication channels that are network based. This does indeed fit the air-gap target network theory well, but I suspect it is expected to be used even in connected networks. After all, the original infection vector via email needs to find its way to the victim’s network somehow. I also believe that the gluttonous nature of the collector may make for a very large amount of data to exfiltrate, which even when compressed might trigger DLP tools as they are being exfiltrated over the network. This would explain why the malware is not attempting straightforward exfiltration. As much as infecting air-gap networks is difficult, exfiltrating data from them is even more difficult, which is why most malware that operates in air-gap networks are destroyers. One of the modules of this platform must have a probe looking for internet connectivity. Unless that exfiltration method is identified, I think the jury is still out as to understanding the full picture of this malware.”
The researchers have chosen to make the malware public in the hopes of discovering more about its origins and communication protocol.
Prior attacks on air-gapped networks
There are few documented attacks on air-gapped networks; the most infamous was the 2010 Stuxnet worm, but that was used for a one-way transmission intended to destroy the target devices rather than exfiltrate data. As Chris Clements, Security Awareness Advocate for Cerberus Sentinel, points out, the last successful air gap attack via USB drives in the US led to the creation of the United States Cyber Command: “In 2008 the US Central Command (CentCom) air-gapped network was compromised when an adversary packaged infected thumb drives in stores near the base. When service members bought and inserted these drives into their computers, the malware activated and spread throughout the high security military network … The Ramsay malware has all the hallmarks of a state-sponsored intelligence operation. It has capabilities to restrict its behavior to specific targets, which are typically not seen in general cybercrime malware built to infect indiscriminately.”
Researchers have shown various attack vectors through which data exfiltration is viable, but these theoretical techniques require infected systems to be physically close enough to each other to transmit data from air gapped systems through the air in some way.
The closest prior analogue to the Ramsay malware was Project Sauron, which Kaspersky found on a number of networks in Russia, Iran and Rwanda in 2016. As with Ramsay, the Project Sauron malware would compress sensitive documents on the target system and appeared to wait for an opportunity to traverse the air gap again with them and connect to a remote server.