Security News > 2020 > May > 'Ramsay' Espionage Framework Can Exfiltrate Data From Air-Gapped Networks
Dubbed Ramsay, the framework appears to be in the development stage, with its operators still working on refining delivery vectors.
Ramsay appears to have been under development since late 2019, and ESET's security researchers believe that there are two maintained versions at the moment, each tailored based on the configuration of different targets.
The spreader was designed as a file infector, embedding malicious Ramsay artifacts within PE executable files found on removable and network shared drives.
For persistence, the framework uses multiple mechanisms: an AppInit DLL registry key, scheduled tasks via the COM API, and a technique known as Phantom DLL Hijacking.
Ramsay's list of capabilities includes file collection, command execution communication protocol, it relies on control files to receive three commands: file execution, DLL load, batch execution), and spreading.