Cybercriminals may have leveraged MacroPack, a legitimate framework designed for red team exercises to distribute malicious payloads, such as the Brute Ratel and Havoc tools, as well as a new variant of the PhantomCore remote access trojan (RAT).
Analysis of MacroPack lure documents revealed the use of obfuscation techniques to evade detection, such as function and variable renaming, string encoding, and removal of comments and surplus whitespace.These activities were used to target victims in China, Pakistan, Russia and the U.S.
MacroPack Generated Malware Payloads
Researchers at Cisco Talos discovered several clusters of MacroPack-generated documents, each with distinct lure themes and payloads.
The first cluster featured generic Word documents instructing users to enable content, which would allow the malicious macros to execute. These documents, uploaded from China, Taiwan and Pakistan, delivered the Havoc post-exploitation framework as the final payload.
Havoc is a free, open-source tool used by penetration testers and red teams. However, threat actors have also abused it for malicious purposes. The Havoc implants, or ‘demons,’ allow attackers to remotely control affected systems.
The second cluster of documents, uploaded from Pakistan, had military-themed lures, such as a circular announcing awards for Pakistani Air Force officers. These documents delivered Brute Ratel, another popular red teaming framework that has been co-opted by real threat actors.
Brute Ratel enables a wide range of malicious activities, including remote command execution, lateral movement, persistence, and evasion of endpoint security solutions. The Brute Ratel payloads used DNS over HTTPS and Amazon CloudFront CDN servers for command-and-control communications.
Obfuscation Techniques
One notable aspect of the MacroPack-generated documents was the inclusion of four non-malicious VBA subroutines. These benign functions, traced back to a website hosting VBA examples and a French Microsoft Word programming book, were likely included to lower the overall entropy of the code and bypass heuristic-based detection.
The inclusion of non-malicious functions with low entropy may have been to lower the overall entropy of the generated code. The MacroPack author also implemented a feature to generate function and variable names using Markov chains, creating seemingly meaningful names to further evade detection.
While the tactics, techniques and procedures (TTPs) observed in these samples were clearly malicious, the researchers was unable to attribute the activities to a single threat actor, and did not rule out the possibility that at least some of the documents may have represented red teaming exercises, rather than real-world attacks.
While the researchers have shared indicators of compromise (IOCs) related to the discovered samples, some of these were excluded from the report due to the chances of them being part of legitimate red team activities.