Ekipa Remote Access Trojan Designed by Russian Hacktivists for “Targeted Attacks”

Summary

XVigil discovered a threat actor advertising a macro RAT (Remote Access Trojan) dubbed “Ekipa", created by Russian hacktivists.
 
Category: Malware Intelligence Type: Remote Access Trojan Industry: Multiple Region: Global

Executive Summary

THREAT IMPACT MITIGATION
  • Russian hacktivists designed Ekipa RAT for targeted attacks.
  • RAT capable of exfiltrating system info, executing commands, and uploading files remotely.
  • Increased risk of malware spread on AV/Defender bypassed systems.
  • Provision of higher system privileges.
  • Keep AV/Defender versions updated.
  • Ignore clicking on any suspicious links.

Analysis and Attribution

Information from the Post

  • On 10 February 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor advertising a macro RAT (Remote Access Trojan) dubbed “Ekipa", created by Russian hacktivists.
  • Ekipa was primarily designed for “targeted attacks”, i.e. to be employed against anyone refusing to accept Russian political beliefs.
  • The advertised price for RAT is USD 3,000 and the actor can be contacted via XMPP.
The crux of the threat actor’s post on the forum
The crux of the threat actor’s post on the forum
 

About Ekipa

  • Ekipa (slang for “equipment”) is an MS Word macro/Excel add-on, that is AMSI enabled and a non-resident loader with file browser functions.
  • Works remotely and does not exist on the victim’s RAM.
  • Appears to be a Control Panel, however, works as a powerful RAT with embedded Visual Basic (VB) scripts.
  • VB macro templates act as a fulcrum for Ekipa and are capable of extracting the victim’s details.
  • FUD (fully undetectable) RAT, as depicted in multiple antivirus scans, in the PoC.

Attack Vector

  • The RAT is equipped with a GUI builder, to specify the target system.
  • Starting point of the attack is an infected Word/Excel document crafted by the attacker.
Application add-in prompt to be enabled for MS Excel
Application add-in prompt to be enabled for MS Excel
 
  • Two XML templates contain instructions for exfiltrating geographic information and system particulars of the target.
  • These are injected into the Word/Excel document.
  • Attack steps are the same for both, however, application add-ins have to be enabled for Excel.
  • CVE 2021-26411, i.e use after free memory corruption vulnerability on Internet Explorer, is used for leverage.
  • Exploit is coded into the template, which is then used to launch the RAT.
  • Attack vector exploited is Remote Template Injection.

Modus Operandi

A working PoC (Proof of Concept) from the advertisement, provided the following modus operandi:
  • Victim receives a simple word document that contains hate speech or some hacktivist agenda described in English or Russian.
  • Upon opening the document, a macro template is injected remotely, which allows exfiltrating information from the target system.
  • The information is recorded by the Ekipa panel and provided to the attacker.
Ekipa panel on the threat actor’s side recording target information
Ekipa panel on the threat actor’s side recording target information
  • Using the Implants section, an attacker can further leverage their initial access to the compromised system to run commands or upload files remotely.
    • The image below depicts an attempt to open a remote connection on the compromised host, by downloading the PuTTY client app on the compromised host.
Attacker attempting to open a remote connection on the compromised host
Attacker attempting to open a remote connection on the compromised host
 
    • The image below depicts an attempt for remote command execution via the GUI C-Panel, by using the “shutdown” command.
Attacker executing the “shutdown” command
Attacker executing the “shutdown” command
 

Problems

  • A disadvantage of this RAT is that it works only when macros are enabled.
  • With Microsoft Office disabling macros indefinitely, Ekipa's TTP is less prominent now.

Possible Motivation

The threat actor’s motivation behind the development and sharing of the RAT include:
  • Propagation of Russian political agenda against its enemies during the Russia & Ukraine war
  • Exfiltrating sensitive information
  • Gaining remote system access

Mentions on Other Forums

  • A similar post (scripted in Russian language) by the same actor was identified on 8 February 2022, on an English underground cybercrime forum.
A similar post was made on another underground cybercrime forum, advertising the Ekipa service.
A similar post was made on another underground cybercrime forum, advertising the Ekipa service.
 
  • A Tweet also mentioned the RAT, but no further discussion was observed.
Screenshot from Twitter, mentioning the Malwarebytes report on the Ekipa RAT
Screenshot from Twitter, mentioning the Malwarebytes report on the Ekipa RAT
 

Impact and Mitigation

Impact Mitigation
  • Provision of higher privileges on the system can lead to unwanted system changes taking place.
  • Exfiltration of sensitive information from compromised systems.
  • Ability to run malicious commands or upload malware files remotely.
  • Implement least privileges on computer systems and use root/admin privileges only when required.
  • Monitor all network access, to/from computer systems.
  • Check for abnormal behavior, if experiencing any, on computer systems.

Security Providers Tested Against Ekipa

Bypassed Antivirus / Security Providers
AVG Avast Avira
Bitdefender Bullguard Comodo
Dr-Web F-Secure G-Data
Kaspersky Malwarebytes Mcafee
NOD32 Norton Panda
Symantec Trend Micro Windows Defender

History of Contacted Domains

List of Domains Contacted by Ekipa
https//cloud-documents[.]com/
https//cloud-documents.com/doc/
/doc?action=load_document
/doc?action=show_content

Details Extracted by Ekipa

Details Returned by the Macro Templates
Thread name (the ability to create threads with different names for different purposes) Capture the IP Address of targeted device
Country/City Version of Windows & processes list
Bit depth MS Word/Excel Domain and username
List of installed anti-virus software, its status and relevance of updates CPU & GPU manufacturer and model, with RAM Capacity
The total amount of drives and free space on them File browser
View files and directories on the target PC Download files and folders to/from the target PC as a .zip archive up to 2GB in size
Delete, rename and move files on the target PC Running executable files .exe, .dll, etc
Execution of arbitrary command-line commands

Indicators of Compromise

MD5 Hash
a0b9a840adaba6664e7d26619c20bbd1 224cb9048f8743986b552d04f9e804cd
SHA-1 Hash
0ac675e26b14a0bedf314799423d015f49f9a9f4 3567c37e030c07f8ab66f37b3f378b38bd14c92f
SHA-256
03eb08a930bb464837ede77df6c66651d526bab1560e7e6e0e8466ab23856bac 0661fc4eb09e99ba4d8e28a2d5fae6bb243f6acc0289870f9414f9328721010a

References

Appendix

XML templates injected into the Word/Excel document
XML templates injected into the Word/Excel document
 
Security vendor rating of hashes associated with the Ekipa RAT
Security vendor rating of hashes associated with the Ekipa RAT
 
Security vendor rating of hashes associated with the Ekipa RAT
Security vendor rating of hashes associated with the Ekipa RAT
 
A satisfied customer’s review from the forum
A satisfied customer’s review from the forum
 
Translation of the review - “I purchased and tested the product, the declared functionality works 100% Excellent support at all stages of implementation, all the difficulties that arose (On my side) were successfully and quickly resolved.”
 

Table of Contents

Request an easy and customized demo for free