MacroPack is a convenient tool for creating obfuscated VBA malware, but it is still a risk even with the macro execution restricted in downloaded Office documents from Microsoft.
This tool can create several output types like office files, scripts, and shortcuts that allow great functionality like renaming variables or functions, string encodings, and obfuscated coverage.
The tool is meant for Red Team operations, but the fact that the free version of it raises a red flag.
Cybersecurity analysts at Cisco Talos identified that hackers have been actively abusing the Red team tool, ‘MacroPack’ to deliver multiple malicious payloads.
Many objections from professionals center on the marketing features of the framework.
Its capacity to produce undisputable payloads with content signature evasion techniques, in addition to its marketing strategy that includes a professional canon that has more advanced features like anti-malware penetration and anti-reversing capabilities, has continued to attract different threat actors.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial
Documents considered suspicious during threat hunting exercises which could not be attributed to UNC1151 used a VBA code that is similar to MacroPack’s commercial VBA scheme which was not used in any of the attack scenarios.
Upon considering the reason for the array of malicious documents, a distinct recurrent phenomenon was noticed.
Researchers discovered that these subroutines were derived from online VBA examples, with one being from Michel Martin’s book Redigez Facilement Des Documents Avec Word, and were related to the macro pack premium edition software for creating malware.
).webp "Hackers Abuse Red Team Tool MacroPack To Deliver Malicious Payloads 2")
Malicious documents typically employ a three-stage infection process before C2 communication. While some samples were confirmed as red team exercises, others remained unattributed.
The consistent TTPs and document lures suggested multiple threat actors utilizing MacroPack, though specific group attribution proved challenging.
These results give rise to modern realities regarding the hiding and masking of malicious software and underline the need to use complex threat intelligence techniques in the field of cybersecurity.
Malicious documents utilizing MacroPack, a VBA macro obfuscation tool, were uploaded to VirusTotal from China, Pakistan, Russia, and the U.S. between 2023-2024.
These featured varied themes and payloads:-
- Chinese uploads used Havoc Demon and Brute Ratel with Chinese and English lures.
- Pakistani documents deployed military-themed Brute Ratel DLL badgers with advanced C2.
- A Russian upload led to a PhantomCore backdoor from Ukrainian hacktivists.
- A U.S. upload featured sandbox evasion and attempted HTML app download.
All documents utilized VBA macros to launch various forms of malicious code, which were often built in the guise of shellcode loaders finishing off their tasks.
The C2 servers were diversified onto a number of IP ranges and achieved communication through DNS tunneling and other CND servers.
The payloads also carried post-exploitation toolkits that were multifaceted enough to control systems summarily, move elements within systems, and extract data from systems.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!