Ramsay Malware Framework Overview

This threat report is about a malware framework used to gather and steal valuable intelligence on systems for espionage-related reasons. The framework, called Ramsay, is built to collect useful data on targets regardless of whether the system is air-gapped or not. The malware is built to affect hosts that run the Windows operating system.

Espionage-Related Tactics, Techniques, and Procedures

Ramsay is designed to operate without any command & control mechanism with the collection of the raw data along with the storage of it occurring locally. The Ramsay malware has a variety of versions in the wild with three currently known. The first two versions of the malicious software exploit CVE-2017-0199 and CVE-2017-11882. The third version tries to trick users by pretending to be a 7-Zip installer.

About CVE-2017-0199 and CVE-2017-11882 Vulnerabilities:

  • CVE-2017-11882 – affects the Microsoft Office product suite allowing for a remote attacker to execute code on the system. Successful exploitation occurs when a specially crafted file is opened and allows the bad actor to operate with the currently running user’s privileges.
  • CVE-2017-0199 – affects both Microsoft Office and WordPad. This vulnerability allows the bad actor to execute arbitrary code on the system using a specially crafted file. Successful exploitation of this vulnerability could result in a threat actor having full control of the affected system.

The malware targets Word documents, PDF files, and ZIP archives on infected machines. It often looks for these file types on a variety of mediums including local storage, network drives, and removable media. The malware collects the desired file type and encrypts via RC4 encryption. The framework can also spread through network drives to infect other systems internally.

The Ramsay malware maintains persistence through a variety of means on infected targets. The malware can persist using the Appinit DLL registry key. It can create scheduled tasks at logon or on every reboot via the Scheduled Task COM API. It also engages in phantom DLL hijacking using older software dependencies by creating/invoking malicious DLL files. The two files used for phantom DLL hijacking are msfte.dll (Windows Search) and oci.dll (Microsoft Distributed Transaction Coordinator).

What Ramsay Malware Means to You

Here are ways Ramsay malware may impact your organization:

  • Could lead to the unwanted collection of sensitive data on the network.
  • May lead to the loss of key financial documents.
  • Could result in the propagation of an advanced intelligence gathering framework in the environment.

What You Can Do

It is highly encouraged that you patch both CVE-2017-0199 and CVE-2017-11882 using the links found below. Consider performing file integrity monitoring in sensitive segments of the network to look for unusual file changes. Disable the use of removable media inside air-gapped networks with an exception made for approved administrators.

Additional Ramsay Malware Information

 IBM X-Force Exchange Links:

Supporting Documentation:

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Contact us for more information about Avertium’s managed security service capabilities. 

Deciding between running an in-house SOC vs. using managed security services to add more rigor, more relevance, and more responsiveness to your cybersecurity program? Compare the two options. Download the e-book!

Chat With One of Our Experts




Threat Report CVE-2017-11882 Ramsay Malware CVE-2017-0199 Threat Detection and Response Windows OS malware Blog