Sep 05, 2024Ravie LakshmananCyber Threat / Malware
Ever wondered how threat actors deploy malware? A recent discovery by Cisco Talos sheds light on the possibility that red teaming tools are being misused to serve malicious purposes.
The spotlight is on a payload generation framework known as MacroPack, primarily designed for penetration testing and social engineering evaluations, but now evidently leveraged by cybercriminals. Developed by French coder Emeric Nasi, this tool enables the creation of weaponized Office documents, Visual Basic scripts, and Windows shortcuts.
Multiple samples uploaded to VirusTotal from across the globe, including China, Pakistan, Russia, and the U.S., have showcased the use of MacroPack to distribute Havoc, Brute Ratel, and a fresh variant of PhantomCore, a remote access trojan tied to the hacktivist group Head Mare.
“What struck us in all the analyzed malicious documents was the presence of four innocuous VBA subroutines,” noted Talos researcher Vanja Svajcer in a blog post. “These routines, unobscured and unique, had not seen use in any other malicious context.”
Highlighting a diverse range of lure themes employed in these documents—from generic prompts urging macro activation to sophisticated military-themed camouflage—the distinctiveness of each campaign suggests the involvement of disparate threat entities.
Moreover, select documents have capitalized on MacroPack’s advanced capabilities to evade heuristic detections by using Markov chains for obfuscation, generating plausible function and variable names.
Between May and July 2024, a series of attack chains unfolded, starting with the delivery of a weaponized Office file carrying MacroPack VBA code. This script decodes a subsequent payload, facilitating the retrieval and execution of the final malware.
The evolving tactics employed by threat actors underscore their adaptability and sophistication, setting the stage for more complex code execution maneuvers in the ever-changing cybersecurity landscape.