Ekipa Remote Access Trojan Designed by Russian Hacktivists for “Targeted Attacks”

XVigil discovered a threat actor advertising a macro RAT (Remote Access Trojan) dubbed “Ekipa", created by Russian hacktivists.
Updated on
April 19, 2023
Published on
July 7, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
 
Category: Malware Intelligence Type: Remote Access Trojan Industry: Multiple Region: Global

Executive Summary

THREAT IMPACT MITIGATION
  • Russian hacktivists designed Ekipa RAT for targeted attacks.
  • RAT capable of exfiltrating system info, executing commands, and uploading files remotely.
  • Increased risk of malware spread on AV/Defender bypassed systems.
  • Provision of higher system privileges.
  • Keep AV/Defender versions updated.
  • Ignore clicking on any suspicious links.

Analysis and Attribution

Information from the Post

  • On 10 February 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor advertising a macro RAT (Remote Access Trojan) dubbed “Ekipa", created by Russian hacktivists.
  • Ekipa was primarily designed for “targeted attacks”, i.e. to be employed against anyone refusing to accept Russian political beliefs.
  • The advertised price for RAT is USD 3,000 and the actor can be contacted via XMPP.
[caption id="attachment_19909" align="aligncenter" width="1750"]The crux of the threat actor’s post on the forum The crux of the threat actor’s post on the forum[/caption]  

About Ekipa

  • Ekipa (slang for “equipment”) is an MS Word macro/Excel add-on, that is AMSI enabled and a non-resident loader with file browser functions.
  • Works remotely and does not exist on the victim’s RAM.
  • Appears to be a Control Panel, however, works as a powerful RAT with embedded Visual Basic (VB) scripts.
  • VB macro templates act as a fulcrum for Ekipa and are capable of extracting the victim’s details.
  • FUD (fully undetectable) RAT, as depicted in multiple antivirus scans, in the PoC.

Attack Vector

  • The RAT is equipped with a GUI builder, to specify the target system.
  • Starting point of the attack is an infected Word/Excel document crafted by the attacker.
[caption id="attachment_19910" align="aligncenter" width="312"]Application add-in prompt to be enabled for MS Excel Application add-in prompt to be enabled for MS Excel[/caption]  
  • Two XML templates contain instructions for exfiltrating geographic information and system particulars of the target.
  • These are injected into the Word/Excel document.
  • Attack steps are the same for both, however, application add-ins have to be enabled for Excel.
  • CVE 2021-26411, i.e use after free memory corruption vulnerability on Internet Explorer, is used for leverage.
  • Exploit is coded into the template, which is then used to launch the RAT.
  • Attack vector exploited is Remote Template Injection.

Modus Operandi

A working PoC (Proof of Concept) from the advertisement, provided the following modus operandi:
  • Victim receives a simple word document that contains hate speech or some hacktivist agenda described in English or Russian.
  • Upon opening the document, a macro template is injected remotely, which allows exfiltrating information from the target system.
  • The information is recorded by the Ekipa panel and provided to the attacker.
[caption id="attachment_19911" align="aligncenter" width="824"]Ekipa panel on the threat actor’s side recording target information Ekipa panel on the threat actor’s side recording target information[/caption]
  • Using the Implants section, an attacker can further leverage their initial access to the compromised system to run commands or upload files remotely.
    • The image below depicts an attempt to open a remote connection on the compromised host, by downloading the PuTTY client app on the compromised host.
[caption id="attachment_19912" align="aligncenter" width="206"]Attacker attempting to open a remote connection on the compromised host Attacker attempting to open a remote connection on the compromised host[/caption]  
    • The image below depicts an attempt for remote command execution via the GUI C-Panel, by using the “shutdown” command.
[caption id="attachment_19913" align="aligncenter" width="222"]Attacker executing the “shutdown” command Attacker executing the “shutdown” command[/caption]  

Problems

  • A disadvantage of this RAT is that it works only when macros are enabled.
  • With Microsoft Office disabling macros indefinitely, Ekipa's TTP is less prominent now.

Possible Motivation

The threat actor’s motivation behind the development and sharing of the RAT include:
  • Propagation of Russian political agenda against its enemies during the Russia & Ukraine war
  • Exfiltrating sensitive information
  • Gaining remote system access

Mentions on Other Forums

  • A similar post (scripted in Russian language) by the same actor was identified on 8 February 2022, on an English underground cybercrime forum.
[caption id="attachment_19914" align="aligncenter" width="1680"]A similar post was made on another underground cybercrime forum, advertising the Ekipa service. A similar post was made on another underground cybercrime forum, advertising the Ekipa service.[/caption]  
  • A Tweet also mentioned the RAT, but no further discussion was observed.
[caption id="attachment_19915" align="aligncenter" width="898"]Screenshot from Twitter, mentioning the Malwarebytes report on the Ekipa RAT Screenshot from Twitter, mentioning the Malwarebytes report on the Ekipa RAT[/caption]  

Impact and Mitigation

Impact Mitigation
  • Provision of higher privileges on the system can lead to unwanted system changes taking place.
  • Exfiltration of sensitive information from compromised systems.
  • Ability to run malicious commands or upload malware files remotely.
  • Implement least privileges on computer systems and use root/admin privileges only when required.
  • Monitor all network access, to/from computer systems.
  • Check for abnormal behavior, if experiencing any, on computer systems.

Security Providers Tested Against Ekipa

Bypassed Antivirus / Security Providers
AVG Avast Avira
Bitdefender Bullguard Comodo
Dr-Web F-Secure G-Data
Kaspersky Malwarebytes Mcafee
NOD32 Norton Panda
Symantec Trend Micro Windows Defender

History of Contacted Domains

List of Domains Contacted by Ekipa
https[:]//cloud-documents[.]com/
https[:]//cloud-documents.com/doc/
/doc?action=load_document
/doc?action=show_content

Details Extracted by Ekipa

Details Returned by the Macro Templates
Thread name (the ability to create threads with different names for different purposes) Capture the IP Address of targeted device
Country/City Version of Windows & processes list
Bit depth MS Word/Excel Domain and username
List of installed anti-virus software, its status and relevance of updates CPU & GPU manufacturer and model, with RAM Capacity
The total amount of drives and free space on them File browser
View files and directories on the target PC Download files and folders to/from the target PC as a .zip archive up to 2GB in size
Delete, rename and move files on the target PC Running executable files .exe, .dll, etc
Execution of arbitrary command-line commands

Indicators of Compromise

MD5 Hash
a0b9a840adaba6664e7d26619c20bbd1 224cb9048f8743986b552d04f9e804cd
SHA-1 Hash
0ac675e26b14a0bedf314799423d015f49f9a9f4 3567c37e030c07f8ab66f37b3f378b38bd14c92f
SHA-256
03eb08a930bb464837ede77df6c66651d526bab1560e7e6e0e8466ab23856bac 0661fc4eb09e99ba4d8e28a2d5fae6bb243f6acc0289870f9414f9328721010a

References

Appendix

[caption id="attachment_19916" align="aligncenter" width="1679"]XML templates injected into the Word/Excel document XML templates injected into the Word/Excel document[/caption]   [caption id="attachment_19917" align="aligncenter" width="1143"]Security vendor rating of hashes associated with the Ekipa RAT Security vendor rating of hashes associated with the Ekipa RAT[/caption]   [caption id="attachment_19918" align="aligncenter" width="958"]Security vendor rating of hashes associated with the Ekipa RAT Security vendor rating of hashes associated with the Ekipa RAT[/caption]  
[caption id="attachment_19919" align="alignnone" width="1048"]A satisfied customer’s review from the forum A satisfied customer’s review from the forum[/caption]  
Translation of the review - “I purchased and tested the product, the declared functionality works 100% Excellent support at all stages of implementation, all the difficulties that arose (On my side) were successfully and quickly resolved.”
 

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations