5월 19, 2020
SentinelOne vs Ramsay Trojan
The Ramsay “framework” emerged in late 2019. As of April 2020, there appear to be two fully maintained branches of the framework. The Ramsay malware/toolsets are heavily focused on both persistence and data exfiltration from air-gapped environments.
The original version of Ramsay was distributed via maliciously-crafted office documents. These documents were distributed via email, and were designed to exploit CVE-2017-0199 to facilitate the installation of the malware. CVE-2017-0199 is a remote code execution flaw in Microsoft Word. Specifically, it allows attackers to retrieve and launch code, including VBS & PowerShell upon launching of a specially-crafted RTF document.
Later versions of Ramsay (aka v2.a / 2.b) were distributed as trojanized installers for well-known applications (ex: 7zip). These later versions also included an aggressive spreading mechanism, which locates PE files (local and network adjacent) and infects them to allow for further spreading in targeted environments.
Along with the spreading capabilities, Ramsay includes multiple techniques for maintaining persistence. These include:
DLL Hijacking
AppInitDLL Registry Key Entries
Scheduled Tasks
관련 리소스
데이터시트
Singularity™ Complete AI 지원 엔드포인트와 클라우드 보안
점점 더 복잡해지는 보안 아키텍처와 데이터 소스, 제한된 리소스, 더욱 정교해지는 공격에 직면한 보안 팀은 AI 지원 공격 세례에 대비하느라…
지금 읽기
Resource
SentinelOne PartnerOne - America's 2025
⛳️ Last week in Pebble Beach the America's best cybersecurity partners came together for our annual PartnerOne summit. Check out…
View Asset