| Category: Malware Intelligence | Type: Remote Access Trojan | Industry: Multiple | Region: Global |
|---|
Executive Summary
| THREAT | IMPACT | MITIGATION |
|---|---|---|
|
|
|
Analysis and Attribution
Information from the Post
- On 10 February 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor advertising a macro RAT (Remote Access Trojan) dubbed “Ekipa", created by Russian hacktivists.
- Ekipa was primarily designed for “targeted attacks”, i.e. to be employed against anyone refusing to accept Russian political beliefs.
- The advertised price for RAT is USD 3,000 and the actor can be contacted via XMPP.
About Ekipa
- Ekipa (slang for “equipment”) is an MS Word macro/Excel add-on, that is AMSI enabled and a non-resident loader with file browser functions.
- Works remotely and does not exist on the victim’s RAM.
- Appears to be a Control Panel, however, works as a powerful RAT with embedded Visual Basic (VB) scripts.
- VB macro templates act as a fulcrum for Ekipa and are capable of extracting the victim’s details.
- FUD (fully undetectable) RAT, as depicted in multiple antivirus scans, in the PoC.
Attack Vector
- The RAT is equipped with a GUI builder, to specify the target system.
- Starting point of the attack is an infected Word/Excel document crafted by the attacker.
- Two XML templates contain instructions for exfiltrating geographic information and system particulars of the target.
- These are injected into the Word/Excel document.
- Attack steps are the same for both, however, application add-ins have to be enabled for Excel.
- CVE 2021-26411, i.e use after free memory corruption vulnerability on Internet Explorer, is used for leverage.
- Exploit is coded into the template, which is then used to launch the RAT.
- Attack vector exploited is Remote Template Injection.
Modus Operandi
A working PoC (Proof of Concept) from the advertisement, provided the following modus operandi:- Victim receives a simple word document that contains hate speech or some hacktivist agenda described in English or Russian.
- Upon opening the document, a macro template is injected remotely, which allows exfiltrating information from the target system.
- The information is recorded by the Ekipa panel and provided to the attacker.
- Using the Implants section, an attacker can further leverage their initial access to the compromised system to run commands or upload files remotely.
- The image below depicts an attempt to open a remote connection on the compromised host, by downloading the PuTTY client app on the compromised host.
-
- The image below depicts an attempt for remote command execution via the GUI C-Panel, by using the “shutdown” command.
Problems
- A disadvantage of this RAT is that it works only when macros are enabled.
- With Microsoft Office disabling macros indefinitely, Ekipa's TTP is less prominent now.
Possible Motivation
The threat actor’s motivation behind the development and sharing of the RAT include:- Propagation of Russian political agenda against its enemies during the Russia & Ukraine war
- Exfiltrating sensitive information
- Gaining remote system access
Mentions on Other Forums
- A similar post (scripted in Russian language) by the same actor was identified on 8 February 2022, on an English underground cybercrime forum.
- A Tweet also mentioned the RAT, but no further discussion was observed.
Impact and Mitigation
| Impact | Mitigation |
|---|---|
|
|
Security Providers Tested Against Ekipa
| Bypassed Antivirus / Security Providers | ||
|---|---|---|
| AVG | Avast | Avira |
| Bitdefender | Bullguard | Comodo |
| Dr-Web | F-Secure | G-Data |
| Kaspersky | Malwarebytes | Mcafee |
| NOD32 | Norton | Panda |
| Symantec | Trend Micro | Windows Defender |
History of Contacted Domains
| List of Domains Contacted by Ekipa |
|---|
| https//cloud-documents[.]com/ |
| https//cloud-documents.com/doc/ |
| /doc?action=load_document |
| /doc?action=show_content |
Details Extracted by Ekipa
| Details Returned by the Macro Templates | |
|---|---|
| Thread name (the ability to create threads with different names for different purposes) | Capture the IP Address of targeted device |
| Country/City | Version of Windows & processes list |
| Bit depth MS Word/Excel | Domain and username |
| List of installed anti-virus software, its status and relevance of updates | CPU & GPU manufacturer and model, with RAM Capacity |
| The total amount of drives and free space on them | File browser |
| View files and directories on the target PC | Download files and folders to/from the target PC as a .zip archive up to 2GB in size |
| Delete, rename and move files on the target PC | Running executable files .exe, .dll, etc |
| Execution of arbitrary command-line commands | |
Indicators of Compromise
| MD5 Hash | |
|---|---|
| a0b9a840adaba6664e7d26619c20bbd1 | 224cb9048f8743986b552d04f9e804cd |
| SHA-1 Hash | |
| 0ac675e26b14a0bedf314799423d015f49f9a9f4 | 3567c37e030c07f8ab66f37b3f378b38bd14c92f |
| SHA-256 | |
| 03eb08a930bb464837ede77df6c66651d526bab1560e7e6e0e8466ab23856bac | 0661fc4eb09e99ba4d8e28a2d5fae6bb243f6acc0289870f9414f9328721010a |
References
- #Traffic Light Protocol - Wikipedia
- Crimea "manifesto" deploys VBA Rat using double attack vectors | Malwarebytes Labs
- User Account Control - Wikipedia
- Microsoft Defender weakness lets hackers bypass malware detection (bleepingcomputer.com)
Appendix
 |
|---|
| Translation of the review - “I purchased and tested the product, the declared functionality works 100% Excellent support at all stages of implementation, all the difficulties that arose (On my side) were successfully and quickly resolved.” |