Ramsay, new threat that kidnaps Word files, PDF or ZIP. ESET has discovered this malware and they indicate that they have detected three variants, although so far there are few victims that have been documented.
This malware has been associated with Darkhotel, a known APT group that has carried out cyberespionage operations since at least 2004, it has targeted government entities in China and Japan in the past.
Ramsay joins the long list of threats that we can encounter while browsing the Internet. It is a new malware that challenges users' security. In this case we are facing a problem that can “collect” Word files, PDF or ZIP. According to what they have indicated it is possible that its method of spreading is through a file with the RTF extension. It is a format that was developed by Microsoft in 1987 for cross-platform file exchange.
The first of these variants may have been in circulation since September 2019. It was a simpler version, and the next two were more elaborate. These two variants appeared at the end of March. According to reports, to introduce the malware into systems, it takes advantage of two vulnerabilities that have been registered as CVE-2017-0199 and CVE-2017-11882. These two security flaws allow arbitrary code execution.
On the other hand, another of the more elaborate varieties, the malware posed as an installer for the 7-ZIP file compression tool.