VBA RAT Description

A fully-fledged VBA RAT was detected as part of a new attack operation against Russian and pro-Russian entities. So far, the threat actor has not been determined conclusively and certain evidence points that it may be a newly-emerged hacker group. The malware threat is delivered to the victim's machines via a lure document containing a manifesto about Crimea, a hotly contested region between Russia and Ukraine. 

One Document, Two Attack Vectors

The lure document is named 'Manifest.docx' (Манифест.docx). It attempts to fetch and deliver the final payload - the VBA RAT, via not one but two separate infection vectors. First, a macro-based template pointing towards a URL with a remote template that carries the RAT payload. The second vector abuses an Internet Explorer exploit designated as CVE-2021-26411. The vulnerability allows the threat actor to execute a shellcode that deploys the same VBA RAT threat.

Harmful Capabilities

The VBA RAT is equipped with all the capabilities expected from this malware type. It collects data about the victim and exfiltrates it to the attacker. It can manipulate the files (delete, upload, or download) stored on the compromised systems, read disks and other system information. The RAT also can execute arbitrary commands. To avoid easy detection by anti-malware products, the threat avoids the typical API calls used for shellcode execution. Instead, VBA RAT resorts to EnumWindows to achieve the same threatening goals.