Trustwave SpiderLabs analyzed Ekipa RAT in the wild and found threat actors adopting Microsoft Publisher macros to push the trojan, alongside Word macros and XLL variants, as part of remote-template campaigns. The research shows Ekipa’s deployment in the Russia–Ukraine context, its data-collection and tasking capabilities, and notable evasion techniques such as AMSI bypass and a reverse shell, illustrating adaptive attacker behavior. #EkipaRAT #PublisherMacros
Keypoints
- Ekipa RAT is distributed via Microsoft Office documents, including Word macros and new Publisher/XLL variants, as part of remote-template campaigns.
- The infection uses a one-time VBA macro template loaded from a remote URL, with the template executing after the user closes the document.
- Malware collects system information, enumerates drives/files, exfiltrates data, downloads additional payloads, and can execute commands through a built-in task list (nine tasks listed).
- Command execution is performed via a SendInput technique that synthesizes keyboard input to open a Run window and run commands, bypassing normal process relationships.
- Ekipa employs AMSI bypass and Defender/Windows security tainting techniques (e.g., AMSI bypass one-liner) and uses PowerShell-based loaders and Cobalt Strike beacons for second-stage payloads.
- A reverse shell capability was added, creating a cmd.exe process with pipes to route input/output for attacker control.
- Threat actors used geographically targeted C2 servers (e.g., Ukraine-geo-fenced C2) and observed connections to Russian entities, illustrating multi-front activity in the Russia–Ukraine conflict.
MITRE Techniques
- [T1059.005] Visual Basic – The trojan leverages MS Office and Visual Basic for Applications as its main infection and operations vector. Quote: ‘the trojan leverages MS Office and Visual Basic for Applications as its main infection and operations vector.’
- [T1059.001] PowerShell – The campaign uses PowerShell-based loading and Cobalt Strike beacons to fetch second-stage payloads. Quote: ‘PowerShell beacon loader and Cobalt Strike Team Server IP address in the configuration.’
- [T1059.003] Windows Command Shell – Commands are executed via a SendInput-based method that spawns cmd.exe and routes input/output through pipes, enabling a reverse shell. Quote: ‘It creates a cmd.exe process with a modified StartupInfoA structure so that standard input and output is routed through two created pipes.’
- [T1562.001] Impair Defenses – AMSI bypass is implemented to evade security tooling. Quote: ‘[Ref].Assembly.GetType(‘System.Management.Automation.AmsiUtils’).GetField(‘amsiInitFailed’,’NonPublic,Static’).SetValue($null,$true)’
- [T1082] System Information Discovery – The macro collects system information (basic system information, installed AV products, GPU and CPU information, and more). Quote: ‘Collecting information about a targeted system (basic system information, installed AV products, GPU and CPU information and more)’.
- [T1083] File and Directory Discovery – The malware enumerates drives and files/directories as part of its operations. Quote: ‘Enumerate drives’ and ‘Enumerate files and directories’.
- [T1105] Ingress Tool Transfer – The malware downloads files from remote servers to fetch payloads (e.g., remote template, second-stage loaders). Quote: ‘Download file’.
- [T1041] Exfiltration – The RAT exfiltrates files or directories as part of its data collection and staging. Quote: ‘Exfiltrate files or directories’.
Indicators of Compromise
- [Domain] cloud-documents.com – C2 domain for initial document fetch.
- [Domain] azure-tech.pro – C2 domain observed during analysis.
- [Domain] roskazna.net – C2 domain used in remote template campaigns.
- [Domain] kc-3.ru – Domain used in lure documents targeting Russian recipients.
- [IP] 146.70.87.218 – 2nd-stage payload hosting / load flow.
- [IP] 146.70.87.148 – Related hosting for Ekipa campaign.
- [Hash] 03eb08a930bb464837ede77df6c66651d526bab1560e7e6e0e8466ab23856bac – Initial Word document/remote template hash.
- [Hash] 0661fc4eb09e99ba4d8e28a2d5fae6bb243f6acc0289870f9414f9328721010a – Initial Word document/remote template hash.
- [File name] Приказ №21 от 29-03-2022.docx – Initial Word document used to trigger remote template fetch.
- [URL] hxxps://roskazna.net/acpx/t.php?t=774b4bcb8d7287d011ac9cb2d7ff2a76659ca82a46e5df7783c9ff011d19b21e17393264b85072391adc0b57f0abea9e&action=show_document&z=1&x=2500 – Remote template URL pattern observed for Ekipa.