September 5, 2024 at 04:15AM
Cisco Talos has discovered that threat actors may be using MacroPack, a payload generation framework, to distribute malware. The malicious documents are observed to have bypassed anti-malware detections and follow a three-step attack chain. The attackers are utilizing sophisticated techniques and diverse lure themes, suggesting the involvement of distinct threat actors.
From the meeting notes on September 5, 2024, it was discussed that threat actors are using a red team tool called MacroPack to deliver malware. The tool is used for penetration testing and social engineering assessments and was developed by Emeric Nasi. The malware payloads delivered through MacroPack include Havoc, Brute Ratel, and a new variant of PhantomCore. These malicious documents contain non-malicious VBA subroutines that are not obfuscated and are used to make the malicious functionality appear benign. The lure themes in these documents vary widely, suggesting the involvement of distinct threat actors. Additionally, some of the documents have been observed bypassing anti-malware heuristic detections using advanced features in MacroPack. The attack chain involves sending a booby-trapped Office document containing MacroPack VBA code, decoding a next-stage payload, and ultimately executing the final malware. This development indicates that threat actors are constantly updating their tactics to take more sophisticated approaches to code execution.