Threat actors are utilizing a red-teaming tool called MacroPack to serve malware payloads, according to recent findings from Cisco Talos. Originally designed for generating Office documents, Visual Basic scripts, and Windows shortcuts for penetration testing and social engineering assessments, MacroPack is now being abused by cybercriminals to bypass security measures.
The tool, developed by French software engineer Emeric Nasi, has been found in malicious campaigns involving uploads from countries like China, Pakistan, Russia, and the U.S. These campaigns delivered a range of malware, including Havoc, Brute Ratel, and a new variant of PhantomCore, a remote access trojan (RAT) used by the hacktivist group Head Mare.
Cisco Talos researcher Vanja Svajcer noted that one of the key indicators of these malicious documents is the presence of four non-malicious VBA subroutines. These subroutines appeared in all analyzed samples, were not obfuscated, and had no prior usage in any other malicious contexts.
The lure themes in these documents varied widely, ranging from basic prompts to enable macros, to more sophisticated, official-looking documents that mimic communications from military organizations. This suggests that multiple threat actors could be exploiting the MacroPack framework.
One notable technique used by the attackers is anti-malware evasion. They leverage MacroPack's advanced features, such as Markov chains, to generate seemingly meaningful function and variable names, making it harder for security solutions to flag the malicious documents.
Attack Chain Overview:
The observed attack chains between May and July 2024 follow a three-step process:
- Booby-trapped Office document: Contains MacroPack VBA code.
- Decoding next-stage payload: The VBA code decodes and prepares the next stage.
- Malware execution: The final payload, often including Havoc or PhantomCore, is downloaded and executed.
This technique demonstrates how cybercriminals are continuously evolving their methods to counteract security disruptions, adopting more sophisticated approaches to code execution. The use of MacroPack as a malware delivery vehicle marks a significant shift in threat actors’ tactics, especially as it’s a legitimate tool intended for red-teaming and penetration testing.
The findings underscore the need for heightened vigilance in detecting legitimate tools being repurposed for malicious activities, particularly in an environment where adversaries are constantly refining their methods.
