Threat actors have been using MacroPack [4], a legitimate red-teaming tool [3], to distribute malicious payloads such as the Brute Ratel and Havoc frameworks [3], as well as a new variant of the PhantomCore RAT [4].
Description
Analysis by Cisco Talos has revealed that threat actors have been leveraging MacroPack-generated documents with sophisticated obfuscation techniques to avoid detection [3]. Microsoft documents uploaded to VirusTotal between May and July 2024 were found to be generated by MacroPack and originated from actors in China [4], Pakistan [1] [2] [3] [4], Russia [2] [3] [4], and the US [2] [3] [4]. These malicious files delivered payloads such as the Havoc and Brute Ratel frameworks [4], along with a new variant of the PhantomCore RAT [3] [4]. Additionally, Palo Alto’s GlobalProtect VPN was exploited to distribute this new malware variant [4]. The lures uploaded from China and Taiwan in May and July 2024 contained generic Word document lures prompting users to enable content [1], which allowed for VBA macro code execution. The C2 IP addresses for the payloads were located in AS4837 in China, with the final payload being the Havoc demon implant. Havoc is a post-exploitation C2 framework that consists of teamserver and agent components [1]. There were two variants with different C2 IP addresses and lure themes, one compiled for 64-bit Windows and the other for 32-bit Windows [1]. The Brute Ratel implant was loaded from a shellcode loader as a DLL, enabling remote control of compromised systems [1]. Pakistani military-themed documents contained a circular claiming new awards for Pakistan Air Force officers [1], with land plots as rewards [1]. Opening these documents allowed MacroPack-generated code to create a Brute Ratel shellcode loader in memory and execute it to load a badger DLL [1]. Despite the complexity of these attacks [3], the researchers have not attributed them to a specific threat actor [3], highlighting the dual-use potential of red-teaming tools and the need for continued vigilance in cybersecurity [3]. Malicious documents utilizing MacroPack were uploaded to VirusTotal from China [2], Pakistan [1] [2] [3] [4], Russia [2] [3] [4], and the US between 2023-2024 [2]. Chinese uploads used Havoc Demon and Brute Ratel with Chinese and English lures [2], while Pakistani documents deployed military-themed Brute Ratel DLL badgers with advanced C2 [2]. A Russian upload led to a PhantomCore backdoor from Ukrainian hacktivists [2], and a US upload featured sandbox evasion and attempted HTML app download [2].
Conclusion
These findings underscore the importance of robust cybersecurity measures to combat the evolving tactics of threat actors. Organizations must remain vigilant and implement effective mitigation strategies to protect against such sophisticated attacks in the future.
References
[1] https://blog.talosintelligence.com/threat-actors-using-macropack/
[2] https://www.digitalvocano.com/cybersecurity/hackers-abuse-red-team-tool-macropack-to-deliver-multiple-malicious-payloads
[3] https://cybermaterial.com/macropack-tool-misused-to-deploy-malware/
[4] https://www.infosecurity-magazine.com/news/red-teaming-tool-abused-malware/
