Hackers Abuse Red Team Tool MacroPack To Deliver Multiple Malicious Payloads
Bleeping Computer – Bill Toulas
This article discusses the abuse of MacroPack, a framework originally designed for Red Team exercises, by threat actors to deploy malicious payloads
Here are the key points:
1) Overview:
– MacroPack is being used to deploy payloads like Havoc, Brute Ratel, and PhatomCore
– Cisco Talos researchers analyzed malicious documents from various countries
2) MacroPack Features:
– Offers anti-malware bypass and anti-reversing techniques
– Builds document payloads with code obfuscation
– Embeds undetectable VB scripts
3) Malicious Document Characteristics:
– Markov-chain-based function and variable renaming
– Removal of comments and surplus space characters
– String encoding
– Four non-malicious VBA subroutines (indicator of MacroPack Pro usage)
4) Attack Chain:
– VBA code triggers when documents are opened
– Loads malicious DLL
– Connects to attacker’s C2 server
5) Observed Campaigns:
– China: Delivering Havoc and Brute Ratel payloads
– Pakistan: Military-themed documents deploying Brute Ratel
– Russia: Delivering PhantomCore backdoor
– U.S.: Posing as NMLS renewal form, downloading unknown payload
6) Implications:
– Multiple threat actors abusing MacroPack
– Adds stealth to attacks using tools like Brute Ratel
– Concerning development for cybersecurity defenders
7) Additional Context:
– Brute Ratel is a post-exploitation attack framework
– Ransomware groups have been using cracked versions to evade detection
This abuse of MacroPack represents a significant threat, as it allows attackers to create sophisticated, hard-to-detect malicious documents for various cybercrime purposes.
Link: https://www.bleepingcomputer.com/news/security/red-team-tool-macropack-abused-in-attacks-to-deploy-brute-ratel/