Priya Patel
TLDR:
Key Points:
- Cyber attackers are using MacroPack to deliver malware such as Havoc, Brute Ratel, and PhantomCore.
- The malicious documents generated by MacroPack have non-malicious VBA subroutines and advanced features to bypass anti-malware detections.
Article Summary:
Cisco Talos has uncovered that threat actors are employing MacroPack, a payload generation framework used for red teaming exercises, to distribute malware. This tool, created by French developer Emeric Nasi, is being used to generate various types of malicious documents that have been uploaded to VirusTotal from different countries including China, Pakistan, Russia, and the U.S.
The malware payloads including Havoc, Brute Ratel, and a new variant of PhantomCore, have been attributed to a hacktivist group named Head Mare. The malicious documents generated using MacroPack contain distinct themes and use advanced features to conceal malicious functionality and bypass anti-malware heuristic detections.
These attacks follow a three-step process where booby-trapped Office documents containing MacroPack VBA code are used to ultimately execute the final malware. The involvement of distinct threat actors and the constant updating of tactics by threat actors indicate a need for organizations to remain vigilant and adapt to evolving cyber threats.
