Having penetrated into such a system, the malware collects Word files and other confidential documents, hides them in a special concealed container and waits for the opportunity to transfer data outside.

“We discovered the first copy of Ramsay on VirusTotal. This sample was downloaded from Japan, and it led us to discovery of additional components and versions of the platform”, – say the experts.

Malware, designed to steal information from machines, which are physically isolated from any networks and potentially dangerous peripherals, is very rare. Such computers are mainly used in government systems and corporate networks, and, as a rule, on them stored secret documents, as well as other secret and confidential information, including, for example, intellectual property.

ESET researchers write that they managed to find three different versions of Ramsay, one of which was compiled in September 2019 (Ramsay 1), and the other two at the beginning and end of March 2020 (Ramsay 2.a and 2.b). Ramsay infiltrates the system through malicious documents that are distributed via phishing emails or via a USB drive. Next, malware uses the old RCE problem in Microsoft Office to “deploy” to the system.

All versions of the malware are different from each other and infect victims in different ways, but the essence remains unchanged: having penetrated the system, the malware needs to scan the infected computer, collects Word, PDF and ZIP files in a hidden folder and prepares them for subsequent transfer.

Some versions have a special distribution module that adds copies of Ramsay to all PE files found on removable drives and among network resources.

“Malware could use this mechanism for distribution to reach isolated machines and networks. After all, users can move infected executable files between different levels of the corporate network, and ultimately the malware will end up in isolated systems”, — say the researchers.

ESET analysts admit that they were unable to determine how Ramsay retrieves data, collected on isolated machines. Also, experts did not draw specific conclusions regarding the attribution of Ramsay, however, it is noted that the malware is similar to the Retro malware, which was developed by the South Korean hackers’ group DarkHotel.

Let me remind you that I recently wrote about another unusual attack, also applicable off-line – through the so-called BadUSB.

The post Ramsay malware attacks PCs, which isolated from the outside world appeared first on Gridinsoft Blog.

Recall that back in January 2020, Microsoft reported a zero-day vulnerability in Internet Explorer, which the attackers had already used for “limited targeted attacks.”

The problem received the identifier CVE-2020-0674 and was associated with a vulnerability in the Firefox browser, which also became known in January. Apparently, the mentioned “limited attacks” were part of a larger hacker campaign, which also included attacks on users of Firefox.

“The problem was related to the IE script engine and violation of the integrity of memory information. Exploiting the vulnerability allows an attacker to execute arbitrary code in the context of the current user. To do this, just lure the IE user to a malicious site”, – Microsoft specialists describe this sensational vulnerability.

After an official patch has been released for CVE-2020-0674, Microsoft reported that Google Analytics Group and Chinese experts from Qihoo 360 originally detected the problem.

While Google did not publish any information about the operation of the bug, Qihoo 360 reports that the problem is associated with hacker’s band DarkHotel, which many researchers link with North Korea.

Information about four more vulnerabilities that received patches this month was publicly disclosed before release of fixes (however, any of these problems was used for attacks): these are two privilege escalation errors in Windows Installer (CVE-2020-0683 and CVE-2020 -0686), Secure Boot bypass (CVE-2020-0689), and information disclosure vulnerability in Edge and IE browsers (CVE-2020-0706).

“Most of the critical problems this month are RCE vulnerabilities and bugs related to the violation of the integrity of information in memory. The Chakra scripting engine, the Media Foundation component and LNK files received corrections for such defects”, – say the experts.

Separately, it is worth highlighting the problems found in Remote Desktop: two RCE vulnerabilities allowed remote execution of arbitrary code on the client side (CVE-2020-0681 and CVE-2020-0734).

Additionally, another problem of remote execution of arbitrary code (CVE-2020-0688) was fixed in Exchange. It could be exploited using malicious emails.

Let me remind you that no patches will help Windows 7 users, farewell system updates were for the last time released in January and the company no longer supports them for free.

Recently, however, the Free Software Foundation called on Microsoft to open Windows 7 code for the free-war support, but it is unlikely that the vendor will take this offer.

The post Microsoft fixed 0-day vulnerability in Internet Explorer and 99 more bugs in its products appeared first on Gridinsoft Blog.