According to new findings from Cisco Talos, threat actors are likely using a tool designed for red teaming exercises to serve up malware.
The program under consideration is a payload generation structure named MacroPackwhich is used to create Office documents, Visual Basic scripts, Windows shortcuts, and other formats for penetration testing and social engineering assessments. It was developed by French developer Emerick Nassy.
The cybersecurity firm said it discovered artifacts uploaded to VirusTotal from China, Pakistan, Russia, and the United States that were created by MacroPack and used to deliver various payloads such as Havoc, Brute Rateland a new option PhantomCorea remote access trojan (RAT) attributed to a hacker group called Head Mare.
“A common feature of all the malicious documents we analyzed that came to our attention is the existence of four non-malicious VBA subroutines,” Talos researcher Vanya Schweitzer said.
“These subroutines appeared in all samples and were not obfuscated. They have also never been used by other malware or anywhere else in the documentation.”
An important aspect to note here is that the topics of the lures covered by these documents range from generic topics that tell users to enable macros to official-looking documents that appear to come from military organizations. This indicates the involvement of individual members of the threat.
It has also been observed that some documents use advanced features offered as part of MacroPack to bypass heuristic anti-malware detections by hiding the malicious features with Markov chains to create seemingly meaningful function and variable names.
The chain of attacks observed between May and July 2024 follows a three-step process that involves sending a mined Office document containing MacroPack VBA code, which then decodes the next stage’s payload to ultimately extract and execute the ultimate malware.
This is a sign that threat actors are constantly updating their tactics in response to disruptions and using more sophisticated code execution approaches.
