Cybercriminals have been utilizing MacroPack, a legitimate framework created for red team exercises, to disseminate harmful payloads, including the Brute Ratel and Havoc tools, as well as a new version of the PhantomCore remote access trojan (RAT). The analysis of MacroPack lure documents showed the utilization of obfuscation tactics to sidestep detection, such as function and variable renaming, string encoding, and the removal of comments and extra whitespace. These activities were aimed at victims in China, Pakistan, Russia, and the United States.
When researchers at Cisco Talos delved into the matter, they discovered various clusters of MacroPack-generated documents, each with unique lure themes and payloads. The initial cluster consisted of generic Word documents prompting users to activate content, which would then allow the malicious macros to operate. These documents, originating from China, Taiwan, and Pakistan, dispensed the Havoc post-exploitation framework as the final payload.
Havoc, an open-source tool used by penetration testers and red teams, has also been misused by threat actors for malicious intents. The Havoc implants, known as ‘demons,’ grant attackers remote access to compromised systems. The subsequent cluster of documents, uploaded from Pakistan, presented military-themed attractions, like a circular announcing awards for officers in the Pakistani Air Force. These documents distributed Brute Ratel, another viable red teaming framework that has been co-opted by actual threat actors.
Brute Ratel allows for a wide array of malicious activities, such as remote command execution, lateral movement, persistence, and evasion of endpoint security solutions. The payloads from Brute Ratel employed DNS over HTTPS and Amazon CloudFront CDN servers for command-and-control communications.
A striking feature of the MacroPack-generated documents was the inclusion of four non-malicious VBA subroutines. These benign functions, sourced from a website hosting VBA examples and a French Microsoft Word programming book, were likely incorporated to decrease the overall entropy of the code and bypass heuristic-driven detection. The author of MacroPack also integrated a mechanism to generate function and variable names using Markov chains, crafting seemingly sensible names to further evade detection.
Although the observed tactics, techniques, and procedures (TTPs) in these samples were undoubtedly malicious, the researchers were unable to attribute the actions to a single threat actor and did not exclude the possibility that some of the documents might have represented red teaming exercises rather than real-world attacks. While the researchers have shared indicators of compromise (IOCs) linked to the identified samples, certain details were omitted from the report due to the likelihood of them being part of legitimate red team activities.