Category: Malware Intelligence | Type: Remote Access Trojan | Industry: Multiple | Region: Global |
---|
Executive Summary
THREAT | IMPACT | MITIGATION |
---|---|---|
|
|
|
Analysis and Attribution
Information from the Post
- On 10 February 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor advertising a macro RAT (Remote Access Trojan) dubbed “Ekipa", created by Russian hacktivists.
- Ekipa was primarily designed for “targeted attacks”, i.e. to be employed against anyone refusing to accept Russian political beliefs.
- The advertised price for RAT is USD 3,000 and the actor can be contacted via XMPP.

About Ekipa
- Ekipa (slang for “equipment”) is an MS Word macro/Excel add-on, that is AMSI enabled and a non-resident loader with file browser functions.
- Works remotely and does not exist on the victim’s RAM.
- Appears to be a Control Panel, however, works as a powerful RAT with embedded Visual Basic (VB) scripts.
- VB macro templates act as a fulcrum for Ekipa and are capable of extracting the victim’s details.
- FUD (fully undetectable) RAT, as depicted in multiple antivirus scans, in the PoC.
Attack Vector
- The RAT is equipped with a GUI builder, to specify the target system.
- Starting point of the attack is an infected Word/Excel document crafted by the attacker.

- Two XML templates contain instructions for exfiltrating geographic information and system particulars of the target.
- These are injected into the Word/Excel document.
- Attack steps are the same for both, however, application add-ins have to be enabled for Excel.
- CVE 2021-26411, i.e use after free memory corruption vulnerability on Internet Explorer, is used for leverage.
- Exploit is coded into the template, which is then used to launch the RAT.
- Attack vector exploited is Remote Template Injection.
Modus Operandi
A working PoC (Proof of Concept) from the advertisement, provided the following modus operandi:- Victim receives a simple word document that contains hate speech or some hacktivist agenda described in English or Russian.
- Upon opening the document, a macro template is injected remotely, which allows exfiltrating information from the target system.
- The information is recorded by the Ekipa panel and provided to the attacker.

- Using the Implants section, an attacker can further leverage their initial access to the compromised system to run commands or upload files remotely.
- The image below depicts an attempt to open a remote connection on the compromised host, by downloading the PuTTY client app on the compromised host.

-
- The image below depicts an attempt for remote command execution via the GUI C-Panel, by using the “shutdown” command.

Problems
- A disadvantage of this RAT is that it works only when macros are enabled.
- With Microsoft Office disabling macros indefinitely, Ekipa's TTP is less prominent now.
Possible Motivation
The threat actor’s motivation behind the development and sharing of the RAT include:- Propagation of Russian political agenda against its enemies during the Russia & Ukraine war
- Exfiltrating sensitive information
- Gaining remote system access
Mentions on Other Forums
- A similar post (scripted in Russian language) by the same actor was identified on 8 February 2022, on an English underground cybercrime forum.

- A Tweet also mentioned the RAT, but no further discussion was observed.

Impact and Mitigation
Impact | Mitigation |
---|---|
|
|
Security Providers Tested Against Ekipa
Bypassed Antivirus / Security Providers | ||
---|---|---|
AVG | Avast | Avira |
Bitdefender | Bullguard | Comodo |
Dr-Web | F-Secure | G-Data |
Kaspersky | Malwarebytes | Mcafee |
NOD32 | Norton | Panda |
Symantec | Trend Micro | Windows Defender |
History of Contacted Domains
List of Domains Contacted by Ekipa |
---|
https//cloud-documents[.]com/ |
https//cloud-documents.com/doc/ |
/doc?action=load_document |
/doc?action=show_content |
Details Extracted by Ekipa
Details Returned by the Macro Templates | |
---|---|
Thread name (the ability to create threads with different names for different purposes) | Capture the IP Address of targeted device |
Country/City | Version of Windows & processes list |
Bit depth MS Word/Excel | Domain and username |
List of installed anti-virus software, its status and relevance of updates | CPU & GPU manufacturer and model, with RAM Capacity |
The total amount of drives and free space on them | File browser |
View files and directories on the target PC | Download files and folders to/from the target PC as a .zip archive up to 2GB in size |
Delete, rename and move files on the target PC | Running executable files .exe, .dll, etc |
Execution of arbitrary command-line commands |
Indicators of Compromise
MD5 Hash | |
---|---|
a0b9a840adaba6664e7d26619c20bbd1 | 224cb9048f8743986b552d04f9e804cd |
SHA-1 Hash | |
0ac675e26b14a0bedf314799423d015f49f9a9f4 | 3567c37e030c07f8ab66f37b3f378b38bd14c92f |
SHA-256 | |
03eb08a930bb464837ede77df6c66651d526bab1560e7e6e0e8466ab23856bac | 0661fc4eb09e99ba4d8e28a2d5fae6bb243f6acc0289870f9414f9328721010a |
References
- #Traffic Light Protocol - Wikipedia
- Crimea "manifesto" deploys VBA Rat using double attack vectors | Malwarebytes Labs
- User Account Control - Wikipedia
- Microsoft Defender weakness lets hackers bypass malware detection (bleepingcomputer.com)
Appendix



![]() |
---|
Translation of the review - “I purchased and tested the product, the declared functionality works 100% Excellent support at all stages of implementation, all the difficulties that arose (On my side) were successfully and quickly resolved.” |