Threat actors are leveraging a tool designated for red team exercises, MacroPack, to deploy malware, according to Cisco Talos.
The researchers discovered several related Microsoft documents uploaded to VirusTotal between May and July 2024, all of which were generated by a version of a payload generator framework called MacroPack.
These documents were uploaded from various actors and countries, including China, Pakistan, Russia and the US.
The malicious files were used to deliver multiple payloads, including the Havoc and Brute Ratel post-exploitation frameworks and a new variant of the PhantomCore remote access trojan (RAT).
Read now: Palo Alto's GlobalProtect VPN Spoofed to Deliver New Malware Variant
MacroPack an Effective Tool for Payload Deployment
MacroPack is a tool that enables various payloads to be quickly generated into different file types including Office-support formats, with users able to build working implants with a single command line.
MacroPack also exists in a professional, supported version, which contains additional functionality to make payloads more resilient and has some more advanced features such as anti-malware bypass, more advanced payloads, anti-reversing and additional payloads.
The tool is intended for use by red team members and not for malicious purposes. However, there is no control over who uses the free version of the tool.
The researchers noted that the code generated by the MacroPack framework has a number of characteristics that are designed to bypass anti-malware protections. These include function renaming, variable renaming, removal of surplus space characters, removal of comments and payload obfuscation.
Read Teaming Tool Abused by Malicious Actors
Talos observed the existence of four non-malicious subroutines in all the documents it analyzed. They had never been used by any other malicious subroutines or anywhere else in any documents.
Subroutines are sections of code written outside of the main program.
It is likely that the inclusion of the benign code is designed to lower the level of suspicion of the code generated by MacroPack, circumventing anti-malware tools.
At first, the company suspected all the documents were created by a single threat actor. However, the different document lures and countries where the documents were uploaded led it to conclude that those subroutines were included by the professional version of MacroPack.
For example, the first cluster of three documents, uploaded to VirusTotal from IP addresses residing in China, Taiwan and Pakistan, contained similar lures with a generic Word document content that instructs the users to “enable content.”
In contrast, the second cluster of documents were uploaded from two different locations in Pakistan, using Pakistani military-related themes as lures.
As a result, the researchers assessed with moderate confidence that malicious actors are using MacroPack to deploy malicious payloads.
“Although the visual basic for applications (VBA) code was similar – using obfuscated variable and function names and one or more layers of obfuscated code in their following stages – the lure themes were different, ranging from generic topics that instruct users to enable VBA macros, to official-looking documents and letters that appear to come from military organizations, pointing to various distinct threat actors,” the researchers wrote.