Open-Source Remote Access Trojan Targets Armenian Airport and State Institutions

Macro, MS Word, RAT, Trojan, VBA

September 22, 2023

Threat-researchers at CyberHUB-AM, with the support from Internews’ Martijn Grooten, are tracking a Remote Access Trojan targeting the Armenia International Airports and Armenian State Bodies. The attack was first identified by a Singapore-based cybersecurity researcher –  Zhixiang Hao.

The malware is embedded within an MS Word document, which is presented as an official warning message from Armenia’s National Security Service, and employs VBA Macro code and powershell script to gain foothold in the system.

Armenia -- Screenshot of malacious MS Word file, pretending to be from Armenia's National Security Service, Yerevan, 21Sep2023
Armenia — Screenshot of malacious MS Word file, pretending to be from Armenia’s National Security Service, Yerevan, 21Sep2023

This report provides an in-depth analysis of the malware, its functionality, and associated indicators of compromise (IOCs) to enable effective threat mitigation.

We have published a separate paper with more technical data, which would be of interest to technical researchers.

Attack Overview

Malware Sample Information:

  • File Name: haytararutyun.doc
  • SHA-256 Hash: fa406c532ea3d7cae05411df0ed5a541630a07f26a247a22d907f424397c72ce
  • Delivery Method: The malware is delivered through a Word document (haytararutyun.doc) that contains a malicious VBA Macro code.

VBA Macro Functionality: The VBA Macro code within the document performs the following actions:

  • Downloads a file (ekeng-mta.exe) from a remote server (hxxps[://]karabakhtelekom[.]com/api/ekeng-mta[.]exe).
  • Executes the downloaded file using the command cmd /c C:\users\Public\Downloads\ekeng-mta.exe.
  • Copies a file (Server.bat) to a different location.
  •  Runs Server.bat with the vbHide attribute, potentially executing malicious code.
  • Contacts a remote Command and Control (C2) server ( using PowerShell.
  • Utilizes encoded commands to bypass protection systems.
  • Downloads additional files, including mta.ps1 and mta.dll, which are associated with the UrbanBishop payload.

UrbanBishop Payload:

  • The malware includes a payload known as UrbanBishop, which is used for shellcode execution.
  • UrbanBishop is a potentially open-source tool for Remote Access and Trojan (RAT) functionality.

Indicators of Compromise (IOCs)

Malicious Files:


  • SHA-256 Hash:fa406c532ea3d7cae05411df0ed5a541630a07f26a247a22d907f424397c72ce


  •  SHA-256 Hash: 3a679cb98f88d7d6bd84dcfe9717238c08c05942055bdb798103224e7f2f2ca9


  •  SHA-256 Hash: 60416198c9b2105c9204638fd00e154e2f5c32ba45f5a8ae2671bae565c062e9


  •  SHA-256 Hash: be4bf8ae8ad02363ec3a3a0a932a439eab48c9427375038d121421806be32051

C2 Server:

  • IP Address:
  • Location: Africa (likely a VPS server)


  • Domain Name:
  •  Registrar: eNom, LLC
  • Creation Date: 2023-09-04
  • Updated Date: 2023-09-11
  • Currently on clientHold status

Mitigation Strategies

Monitor Outgoing Connections:

  • Implement monitoring of outgoing connections with PowerShell user-agent strings.

Network Layer Restriction:

  • Restrict access to the IP address at the network layer.

Process Monitoring:

  • Continuously monitor running child processes, especially mta.dll.

Hash Value Checking:

Check the hash values of critical files:

  • mta.ps1 (SHA1: 72EF210030F0F470433A6AACC66DFBE4CBFDAD5C)
  • mta.dll (SHA1: F5145EC20482B39B727E980169DA92E36D4C5A6E)

Email Gateway Protection:

  • Block emails originating from the domain to prevent further attacks.


This threat analysis report outlines a malware campaign targeting Armenians using a malicious MS Word document with embedded VBA Macro code. The malware’s functionalities include downloading and executing malicious payloads, contacting a remote C2 server, and utilizing the UrbanBishop payload. Mitigation strategies are provided to safeguard against this threat, emphasizing the importance of proactive monitoring and network security measures. Security teams are encouraged to stay vigilant and update their defenses accordingly.