The capabilities of CloudMensis, clearly show that operators’ intent is to gather information from the victims’ Macs by exfiltrating documents and keystrokes, listing email messages and attachments, listing files from removable storage, and screen captures.

You can reset your PIN after a data breach, you can reset your password after a data breach, you can reset your security questions after a data breach – but can you reset your face? Sure, there’s surgery, but clearly that’s asymmetry of the amount of effort you’ll need to expend in response to a vendor’s careless handling of biometric data. Subsequent resets could get even weirder. This elevates identify theft to a whole new level.

The latest tools inject malicious macros or references to remote templates into existing documents on the attacked system, which is a very efficient way of moving within an organization’s network, as documents are routinely shared amongst colleagues.

According to ESET findings, Ramsay has gone through several iterations based on the different instances of the framework found, denoting a linear progression on the number and complexity of its capabilities.

ESET researchers have been “sinkholing” several domain names that control the botnet’s actions, replacing them with machines that do not send the botnet’s slave computers the commands they expect, but simply monitor botnet activity. Based on this data and ESET telemetry, ESET estimates that at least 35,000 devices became infected with VictoryGate at one point or another during this campaign.