|Category: Malware Intelligence||Type: Remote Access Trojan||Industry: Multiple||Region: Global|
- On 10 February 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor advertising a macro RAT (Remote Access Trojan) dubbed “Ekipa", created by Russian hacktivists.
- Ekipa was primarily designed for “targeted attacks”, i.e. to be employed against anyone refusing to accept Russian political beliefs.
- The advertised price for RAT is USD 3,000 and the actor can be contacted via XMPP.
- Ekipa (slang for “equipment”) is an MS Word macro/Excel add-on, that is AMSI enabled and a non-resident loader with file browser functions.
- Works remotely and does not exist on the victim’s RAM.
- Appears to be a Control Panel, however, works as a powerful RAT with embedded Visual Basic (VB) scripts.
- VB macro templates act as a fulcrum for Ekipa and are capable of extracting the victim’s details.
- FUD (fully undetectable) RAT, as depicted in multiple antivirus scans, in the PoC.
- The RAT is equipped with a GUI builder, to specify the target system.
- Starting point of the attack is an infected Word/Excel document crafted by the attacker.
- Two XML templates contain instructions for exfiltrating geographic information and system particulars of the target.
- These are injected into the Word/Excel document.
- Attack steps are the same for both, however, application add-ins have to be enabled for Excel.
- CVE 2021-26411, i.e use after free memory corruption vulnerability on Internet Explorer, is used for leverage.
- Exploit is coded into the template, which is then used to launch the RAT.
- Attack vector exploited is Remote Template Injection.
- Victim receives a simple word document that contains hate speech or some hacktivist agenda described in English or Russian.
- Upon opening the document, a macro template is injected remotely, which allows exfiltrating information from the target system.
- The information is recorded by the Ekipa panel and provided to the attacker.
- Using the Implants section, an attacker can further leverage their initial access to the compromised system to run commands or upload files remotely.
- The image below depicts an attempt to open a remote connection on the compromised host, by downloading the PuTTY client app on the compromised host.
- The image below depicts an attempt for remote command execution via the GUI C-Panel, by using the “shutdown” command.
- A disadvantage of this RAT is that it works only when macros are enabled.
- With Microsoft Office disabling macros indefinitely, Ekipa's TTP is less prominent now.
- Propagation of Russian political agenda against its enemies during the Russia & Ukraine war
- Exfiltrating sensitive information
- Gaining remote system access
- A similar post (scripted in Russian language) by the same actor was identified on 8 February 2022, on an English underground cybercrime forum.
- A Tweet also mentioned the RAT, but no further discussion was observed.
|Bypassed Antivirus / Security Providers|
|Symantec||Trend Micro||Windows Defender|
|List of Domains Contacted by Ekipa|
|Details Returned by the Macro Templates|
|Thread name (the ability to create threads with different names for different purposes)||Capture the IP Address of targeted device|
|Country/City||Version of Windows & processes list|
|Bit depth MS Word/Excel||Domain and username|
|List of installed anti-virus software, its status and relevance of updates||CPU & GPU manufacturer and model, with RAM Capacity|
|The total amount of drives and free space on them||File browser|
|View files and directories on the target PC||Download files and folders to/from the target PC as a .zip archive up to 2GB in size|
|Delete, rename and move files on the target PC||Running executable files .exe, .dll, etc|
|Execution of arbitrary command-line commands|
- #Traffic Light Protocol - Wikipedia
- Crimea "manifesto" deploys VBA Rat using double attack vectors | Malwarebytes Labs
- User Account Control - Wikipedia
- Microsoft Defender weakness lets hackers bypass malware detection (bleepingcomputer.com)
|Translation of the review - “I purchased and tested the product, the declared functionality works 100% Excellent support at all stages of implementation, all the difficulties that arose (On my side) were successfully and quickly resolved.”|