| Category:
Malware Intelligence |
Type:
Remote Access Trojan |
Industry:
Multiple |
Region:
Global |
Executive Summary
| THREAT |
IMPACT |
MITIGATION |
- Russian hacktivists designed Ekipa RAT for targeted attacks.
- RAT capable of exfiltrating system info, executing commands, and uploading files remotely.
|
- Increased risk of malware spread on AV/Defender bypassed systems.
- Provision of higher system privileges.
|
- Keep AV/Defender versions updated.
- Ignore clicking on any suspicious links.
|
Analysis and Attribution
Information from the Post
- On 10 February 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor advertising a macro RAT (Remote Access Trojan) dubbed “Ekipa", created by Russian hacktivists.
- Ekipa was primarily designed for “targeted attacks”, i.e. to be employed against anyone refusing to accept Russian political beliefs.
- The advertised price for RAT is USD 3,000 and the actor can be contacted via XMPP.
[caption id="attachment_19909" align="aligncenter" width="1750"]
The crux of the threat actor’s post on the forum[/caption]
About Ekipa
- Ekipa (slang for “equipment”) is an MS Word macro/Excel add-on, that is AMSI enabled and a non-resident loader with file browser functions.
- Works remotely and does not exist on the victim’s RAM.
- Appears to be a Control Panel, however, works as a powerful RAT with embedded Visual Basic (VB) scripts.
- VB macro templates act as a fulcrum for Ekipa and are capable of extracting the victim’s details.
- FUD (fully undetectable) RAT, as depicted in multiple antivirus scans, in the PoC.
Attack Vector
- The RAT is equipped with a GUI builder, to specify the target system.
- Starting point of the attack is an infected Word/Excel document crafted by the attacker.
[caption id="attachment_19910" align="aligncenter" width="312"]
Application add-in prompt to be enabled for MS Excel[/caption]
- Two XML templates contain instructions for exfiltrating geographic information and system particulars of the target.
- These are injected into the Word/Excel document.
- Attack steps are the same for both, however, application add-ins have to be enabled for Excel.
- CVE 2021-26411, i.e use after free memory corruption vulnerability on Internet Explorer, is used for leverage.
- Exploit is coded into the template, which is then used to launch the RAT.
- Attack vector exploited is Remote Template Injection.
Modus Operandi
A working PoC (Proof of Concept) from the advertisement, provided the following modus operandi:
- Victim receives a simple word document that contains hate speech or some hacktivist agenda described in English or Russian.
- Upon opening the document, a macro template is injected remotely, which allows exfiltrating information from the target system.
- The information is recorded by the Ekipa panel and provided to the attacker.
[caption id="attachment_19911" align="aligncenter" width="824"]
Ekipa panel on the threat actor’s side recording target information[/caption]
- Using the Implants section, an attacker can further leverage their initial access to the compromised system to run commands or upload files remotely.
- The image below depicts an attempt to open a remote connection on the compromised host, by downloading the PuTTY client app on the compromised host.
[caption id="attachment_19912" align="aligncenter" width="206"]
Attacker attempting to open a remote connection on the compromised host[/caption]
-
- The image below depicts an attempt for remote command execution via the GUI C-Panel, by using the “shutdown” command.
[caption id="attachment_19913" align="aligncenter" width="222"]
Attacker executing the “shutdown” command[/caption]
Problems
- A disadvantage of this RAT is that it works only when macros are enabled.
- With Microsoft Office disabling macros indefinitely, Ekipa's TTP is less prominent now.
Possible Motivation
The threat actor’s motivation behind the development and sharing of the RAT include:
- Propagation of Russian political agenda against its enemies during the Russia & Ukraine war
- Exfiltrating sensitive information
- Gaining remote system access
Mentions on Other Forums
- A similar post (scripted in Russian language) by the same actor was identified on 8 February 2022, on an English underground cybercrime forum.
[caption id="attachment_19914" align="aligncenter" width="1680"]
A similar post was made on another underground cybercrime forum, advertising the Ekipa service.[/caption]
- A Tweet also mentioned the RAT, but no further discussion was observed.
[caption id="attachment_19915" align="aligncenter" width="898"]
Screenshot from Twitter, mentioning the Malwarebytes report on the Ekipa RAT[/caption]
Impact and Mitigation
| Impact |
Mitigation |
- Provision of higher privileges on the system can lead to unwanted system changes taking place.
- Exfiltration of sensitive information from compromised systems.
- Ability to run malicious commands or upload malware files remotely.
|
- Implement least privileges on computer systems and use root/admin privileges only when required.
- Monitor all network access, to/from computer systems.
- Check for abnormal behavior, if experiencing any, on computer systems.
|
Security Providers Tested Against Ekipa
| Bypassed Antivirus / Security Providers |
| AVG |
Avast |
Avira |
| Bitdefender |
Bullguard |
Comodo |
| Dr-Web |
F-Secure |
G-Data |
| Kaspersky |
Malwarebytes |
Mcafee |
| NOD32 |
Norton |
Panda |
| Symantec |
Trend Micro |
Windows Defender |
History of Contacted Domains
| List of Domains Contacted by Ekipa |
| https[:]//cloud-documents[.]com/ |
| https[:]//cloud-documents.com/doc/ |
| /doc?action=load_document |
| /doc?action=show_content |
Details Extracted by Ekipa
| Details Returned by the Macro Templates |
| Thread name (the ability to create threads with different names for different purposes) |
Capture the IP Address of targeted device |
| Country/City |
Version of Windows & processes list |
| Bit depth MS Word/Excel |
Domain and username |
| List of installed anti-virus software, its status and relevance of updates |
CPU & GPU manufacturer and model, with RAM Capacity |
| The total amount of drives and free space on them |
File browser |
| View files and directories on the target PC |
Download files and folders to/from the target PC as a .zip archive up to 2GB in size |
| Delete, rename and move files on the target PC |
Running executable files .exe, .dll, etc |
| Execution of arbitrary command-line commands |
|
Indicators of Compromise
| MD5 Hash |
| a0b9a840adaba6664e7d26619c20bbd1 |
224cb9048f8743986b552d04f9e804cd |
| SHA-1 Hash |
| 0ac675e26b14a0bedf314799423d015f49f9a9f4 |
3567c37e030c07f8ab66f37b3f378b38bd14c92f |
| SHA-256 |
| 03eb08a930bb464837ede77df6c66651d526bab1560e7e6e0e8466ab23856bac |
0661fc4eb09e99ba4d8e28a2d5fae6bb243f6acc0289870f9414f9328721010a |
References
Appendix
[caption id="attachment_19916" align="aligncenter" width="1679"]
XML templates injected into the Word/Excel document[/caption]
[caption id="attachment_19917" align="aligncenter" width="1143"]
Security vendor rating of hashes associated with the Ekipa RAT[/caption]
[caption id="attachment_19918" align="aligncenter" width="958"]
Security vendor rating of hashes associated with the Ekipa RAT[/caption]
[caption id="attachment_19919" align="alignnone" width="1048"] A satisfied customer’s review from the forum[/caption]
|
| Translation of the review - “I purchased and tested the product, the declared functionality works 100%
Excellent support at all stages of implementation, all the difficulties that arose (On my side) were successfully and quickly resolved.” |
