Hackers are using the MacroPack framework to generate weaponized Microsoft Office documents. These documents, in turn, deploy different malware to their targets, including Blue Ratel, PhantomCore, and Havoc.
This is according to a new report from cybersecurity researchers Cisco Talos. In a detailed analysis published earlier this week, the researchers said they spotted what appear to be multiple threat actor groups abusing MacroPack in their malicious campaigns.
The MacroPack framework is a legitimate tool used to create and manipulate Microsoft Office documents with embedded macros, often used in cybersecurity contexts for penetration testing and red teaming. It allows users to automate the generation of documents that can execute payloads or scripts, which can be exploited by attackers to deliver malicious code.
MacroPack Abuse
As explained in the report, the researchers took multiple files uploaded to the VirusTotal database, and came to the conclusion that at least four different groups are abusing MacroPack. One is from China, Taiwan, and Pakistan, and it was active between May and July this year, distributing Brute Ratel and Havoc. The C2 servers for this campaign were located in Henan, China. One is in Pakistan, impersonating the Pakistan Air Force, and distributing Brute Ratel. One is in Russia, dropping PhantomCore, and the last one is in the US, and was deploying a previously unknown malware labeled mshta.exe.
Brute Ratel is a sophisticated red-teaming and adversary simulation tool designed for offensive cybersecurity professionals. It helps simulate advanced persistent threat (APT) attacks by mimicking real-world tactics, techniques, and procedures (TTPs) used by cyber adversaries. The tool is used to test and improve the defenses of organizations by evaluating their security posture against complex attacks. As such, it is seen as an alternative to Cobalt Strike, another legitimate tool which was abused to the point that antivirus programs started flagging it.
Via BleepingComputer
More from TechRadar Pro
- BlackCat ransomware could be about to get a whole lot nastier
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now