VBA RAT Reaches Victims through pro-Crimea Manifesto

A new piece of malware has been used in the ongoing cyber battle between Russia and Ukraine over the Crimea conflict. The new threat, dubbed the VBA RAT, is being delivered through phishing emails, which contain a macro-laced document. The decoy document is a manifesto called 'Манифест.docx.' The document appears to come in two variations, which use slightly different techniques to execute an embedded payload – the VBA RAT.

The goal of the Trojan is to collect information about the compromised system, as well as to interact with the file system. Its operators can command the implant to delete files, upload/download files, and check what antivirus software is running on the victim's machine. One of the interesting findings related to the VBA RAT campaign is that the attackers are using an Internet Explorer exploit, which was previously employed by the Lazarus Hacking Group. However, it is highly unlikely that the threat actors behind the VBA RAT have anything in common with the infamous Lazarus APT.

VBA RAT Checks for New Instructions Periodically

The way that the VBA RAT receives command is also somewhat unique. Instead of constantly listening for commands, it uses a small script that is triggered every 10 minutes. When 10 minutes pass, the implant contacts the command-and-control server and checks for new commands – if there is nothing, it repeats the task after ten more minutes.

The malware is being managed through a Web-based control panel, which contains information about the victims currently online – location, IP address, operating system, and more. It is highly unlikely that the VBA RAT will be used against regular residents of Russia or Ukraine – instead, its primary targets are likely to be individuals who are involved in the Crimea conflict.

Nevertheless, attacks like the one that the VBA RAT carries out can be halted by using an up-to-date anti-malware software suite.