Article Details

Red team tool ‘MacroPack’ abused in attacks to deploy Brute Ratel. The MacroPack framework, initially designed for Red Team exercises, is being abused by threat actors to deploy malicious payloads, including Havoc, Brute Ratel, and PhatomCore. Security researchers at Cisco Talos have analyzed malicious document submissions on VirusTotal from various countries, including the United States, Russia, China, and Pakistan. These documents varied in their lures, sophistication, and infection vectors, indicating that MacroPack is being abused by multiple threat actors, signifying a potential trend. MacroPack payload generation MacroPack is a proprietary tool focused on Red Team exercises and adversary simulations, created by French developer Emeric Nasi (dba BallisKit). It offers advanced features such as anti-malware bypass, anti-reversing techniques, and the ability to build various document payloads with code obfuscation and embed undetectable VB scripts. There's also a "lite" open-source version called MacroPack Community, which is no longer maintained. Cisco reports catching many document samples in the wild that carry signs they were created on MacroPack, including Markov-chain-based function and variable renaming, removal of comments and surplus space characters that minimize static analysis detection rates, and strings encoding. The giveaway characteristic on all those documents indicating they were built on MacroPack Pro is the existence of four non-malicious VBA subroutines that the researchers say they confirmed were added by the professional version of the framework. Victims opening these Microsoft Office documents will trigger a first-stage VBA code, which loads a malicious DLL that connects to the attacker's command and control (C2) server. Documents in the wild Cisco Talos' report identifies four significant clusters of malicious activity associated with MacroPack abuse, which are summarized as follows: Brute Ratel is a post-exploitation attack framework hackers have been deploying as an alternative to Cobalt Strike since mid-2022. Ransomware groups were also spotted using a cracked version of the tool to evade EDRs and AVs during attacks. The abuse of MacroPack adds another layer of stealth to these attacks and is a worrying development for defenders. BleepingComputer has contacted Emeric Nasi about the observed abuse, but we have not received a response yet.