Threat intel team from Malwarebytes has identified a new malware campaign which executes two templates by downloading and executing macro enabled file and html object file with IE exploit code(CVE-2021-26411) to install the fully featured Remote access trojan on target machine.

Researchers spotted a malicious file named “Manifest.docx” which executes shellcode to install the RAT on victim machine.

Expert also had identified a panel which was used by threat actors dubbed “Ekipa” meaning “team”. Additionally, they identified that statistics on exploitation of IE vulnerability on victims are also being tracked by the threat group for which the Microsoft had already released the patches.

Source: Malwarebytes

Malwarebytes team has also noted that the VBA RAT performs actions like Collecting Victim information, Identifying AV products running on target machine, upload, delete &downloading files, etc.

“After loading the remote templates the malicious document loads a decoy document in Russian which is pretty interesting. The decoy document is a statement from a group within Crimea that voices opposition to Russia and specifically Putin’s policies against that peninsula.” reads the blog post.

Source :Malwarebytes

“As the conflict between Russia and Ukraine over Crimea continues, cyber attacks have been increasing as well. The decoy document contains a manifesto that shows a possible motive (Crimea) and target (Russian and pro-Russian individuals) behind this attack. However, it could also have been used as a false flag.” concludes the blog post.

Indicators of Compromise:


Remote template:

C2 server:

Source: Malwarebytes.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s