September 4, 2024 at 06:06PM
The MacroPack framework, originally for Red Team exercises, is exploited by threat actors to distribute malicious payloads such as Havoc, Brute Ratel, and PhantomCore. Security researchers at Cisco Talos found various documents in different countries, indicating widespread abuse. These attacks use advanced evasion techniques and represent a concerning trend. Ransomware groups also leverage Brute Ratel as an alternative to Cobalt Strike. The use of MacroPack in these attacks poses an additional challenge for defenders. BleepingComputer has reached out to the creator for comment.
After reviewing the meeting notes, it is evident that the framework MacroPack, originally designed for Red Team exercises, is now being exploited by threat actors for deploying malicious payloads such as Havoc, Brute Ratel, and PhantomCore.
Security researchers at Cisco Talos have identified a trend of abuse by threat actors from various countries, including the United States, Russia, China, and Pakistan. This abuse involves the creation of malicious documents with sophisticated infection vectors using the advanced features of MacroPack, such as anti-malware bypass and code obfuscation.
The existence of four non-malicious VBA subroutines added by the professional version of the framework is a distinctive identifier of documents built on MacroPack Pro. Upon opening these malicious documents, victims trigger a first-stage VBA code which loads a malicious DLL that connects to the attackers’ C2 server.
Cisco Talos’ report outlines specific clusters of malicious activity associated with MacroPack abuse in China, Pakistan, Russia, and the U.S. The abuse extends to the use of the Brute Ratel attack framework as an alternative to Cobalt Strike, with ransomware groups utilizing a cracked version of the tool to evade EDRs and AVs during attacks.
The abuse of MacroPack presents a significant challenge for defenders as it adds another layer of stealth to these attacks, highlighting the need for robust defense measures and proactive efforts to mitigate the risk associated with this trend.
It is worth noting that BleepingComputer has attempted to contact Emeric Nasi regarding the observed abuse, but no response has been received yet. This communication may be important to gain further insight into addressing the issues with the MacroPack framework.