Risk actors are leveraging a device designated for red team exercises, MacroPack, to deploy malware, in line with Cisco Talos.
The researchers found a number of associated Microsoft paperwork uploaded to VirusTotal between Could and July 2024, all of which have been generated by a model of a payload generator framework referred to as MacroPack.
These paperwork have been uploaded from numerous actors and international locations, together with China, Pakistan, Russia and the US.
The malicious recordsdata have been used to deliver multiple payloads, together with the Havoc and Brute Ratel post-exploitation frameworks and a brand new variant of the PhantomCore remote access trojan (RAT).
Read now: Palo Alto’s GlobalProtect VPN Spoofed to Deliver New Malware Variant
MacroPack an Efficient Software for Payload Deployment
MacroPack is a device that allows numerous payloads to be rapidly generated into completely different file sorts together with Workplace-support codecs, with customers in a position to construct working implants with a single command line.
MacroPack additionally exists in an expert, supported model, which incorporates extra performance to make payloads extra resilient and has some extra superior options corresponding to anti-malware bypass, extra superior payloads, anti-reversing and extra payloads.
The device is meant to be used by crimson group members and never for malicious functions. Nevertheless, there isn’t a management over who makes use of the free model of the device.
The researchers famous that the code generated by the MacroPack framework has quite a lot of traits which are designed to bypass anti-malware protections. These embrace perform renaming, variable renaming, elimination of surplus area characters, elimination of feedback and payload obfuscation.
Learn Teaming Software Abused by Malicious Actors
Talos noticed the existence of 4 non-malicious subroutines in all of the paperwork it analyzed. They’d by no means been utilized by some other malicious subroutines or anyplace else in any paperwork.
Subroutines are sections of code written outdoors of the primary program.
It’s seemingly that the inclusion of the benign code is designed to decrease the extent of suspicion of the code generated by MacroPack, circumventing anti-malware instruments.
At first, the corporate suspected all of the paperwork have been created by a single risk actor. Nevertheless, the completely different doc lures and international locations the place the paperwork have been uploaded led it to conclude that these subroutines have been included by the skilled model of MacroPack.
For instance, the primary cluster of three paperwork, uploaded to VirusTotal from IP addresses residing in China, Taiwan and Pakistan, contained comparable lures with a generic Phrase doc content material that instructs the customers to “allow content material.”
In distinction, the second cluster of paperwork have been uploaded from two completely different areas in Pakistan, utilizing Pakistani military-related themes as lures.
Consequently, the researchers assessed with average confidence that malicious actors are utilizing MacroPack to deploy malicious payloads.
“Though the visible primary for purposes (VBA) code was comparable – utilizing obfuscated variable and performance names and a number of layers of obfuscated code of their following levels – the lure themes have been completely different, starting from generic subjects that instruct customers to allow VBA macros, to official-looking paperwork and letters that seem to come back from navy organizations, pointing to varied distinct risk actors,” the researchers wrote.