Article Details
Scrape Timestamp (UTC): 2024-09-05 07:49:13.057
Source: https://thehackernews.com/2024/09/malware-attackers-using-macropack-to.html
Original Article Text
Click to Toggle View
Malware Attackers Using MacroPack to Deliver Havoc, Brute Ratel, and PhantomCore. Threat actors are likely employing a tool designated for red teaming exercises to serve malware, according to new findings from Cisco Talos. The program in question is a payload generation framework called MacroPack, which is used to generate Office documents, Visual Basic scripts, Windows shortcuts, and other formats for penetration testing and social engineering assessments. It was developed by French developer Emeric Nasi. The cybersecurity company said it found artifacts uploaded to VirusTotal from China, Pakistan, Russia, and the U.S. that were all generated by MacroPack and used to deliver various payloads such as Havoc, Brute Ratel, and a new variant of PhantomCore, a remote access trojan (RAT) attributed to a hacktivist group named Head Mare. "A common feature in all the malicious documents we dissected that caught our attention is the existence of four non-malicious VBA subroutines," Talos researcher Vanja Svajcer said. "These subroutines appeared in all the samples and were not obfuscated. They also had never been used by any other malicious subroutines or anywhere else in any documents." An important aspect to note here is that the lure themes spanning these documents are varied, ranging from generic topics that instruct users to enable macros to official-looking documents that appear to come from military organizations. This suggests the involvement of distinct threat actors. Some of the documents have also been observed taking advantage of advanced features offered as part of MacroPack to bypass anti-malware heuristic detections by concealing the malicious functionality using Markov chains to create seemingly meaningful functions and variable names. The attack chains, observed between May and July 2024, follow a three-step process that entails sending a booby-trapped Office document containing MacroPack VBA code, which then decodes a next-stage payload to ultimately fetch and execute the final malware. The development is a sign that threat actors are constantly updating tactics in response to disruptions and taking more sophisticated approaches to code execution.
Daily Brief Summary
Cisco Talos has reported that threat actors are misusing MacroPack, a tool originally developed for red teaming, to deliver malware.
Malicious documents used for this purpose included harmful payloads such as Havoc, Brute Ratel, and a new variant of the PhantomCore RAT.
Artifacts analyzed were found on VirusTotal, originating from various countries including China, Pakistan, Russia, and the U.S.
These documents were crafted to trick users into enabling macros, with some even mimicking military organization communications to appear legitimate.
Researchers highlighted the use of non-obfuscated VBA subroutines common across all malicious samples, which were unique to these attacks and not previously seen in other malware campaigns.
Attackers leveraged advanced features of MacroPack to evade anti-malware solutions, utilizing techniques like Markov chains for obfuscation.
The attack process involved a three-step sequence: sending a MacroPack-embedded Office document, decoding a next-stage payload, and executing the final malware.
This latest finding shows an evolution in threat actor tactics, focusing on more complex methods to avoid detection and enhance the success of their attacks.