MacroPack Abused By Threat Actors To Deploy Brute Ratel
Written by Karolis Liucveikis on
MacroPack, a framework developed by security researchers for red team exercises, has been abused by various threat actors to deliver several malware payloads to victims. Cisco Talos discovered that threat actors were using MacroPack to deploy malicious payloads that included Havoc, Brute Ratel, and PhatomCore.
Malicious documents from several countries, including the United States, Russia, China, and Pakistan, were uploaded to VirusTotal, indicating that MacroPack is being abused by multiple threat actors.
Upon analysis, it was discovered that the documents varied in their lures, sophistication, and infection vectors. This indicates that MacroPack is being abused by multiple threat actors, signifying the start of a possible future trend.
Take a brief moment to look at MacroPack in more detail. French developer Emeric Nasi developed the framework. The framework was designed to assist red teams security researchers hired to compromise networks and show where the security policy of an organization is deficient in creating threat actor attack simulations.
MacroPack includes several advanced features such as anti-malware bypass, anti-reversing techniques, and the ability to build various document payloads with code obfuscation and embed undetectable VB scripts. The feature set no doubt attracts malicious actors, who will and have abused the framework to carry out malicious attacks.
Currently, there is a lite version of MacroPack available for free, as well as a paid Pro version. Cisco Talos researchers noted that there appears to be no control over who uses the free "lite" version. However, much of the advanced feature set is only included in the Pro version.
Cisco reports that in malicious documents, they discovered their creation was done in MacroPack as Markov-chain-based function and variable renaming, removal of comments and surplus space characters that minimize static analysis detection rates, and strings encoding features were clearly on display.
Further, it was determined that these documents were built in the Pro version, as researchers discovered the existence of four non-malicious VBA subroutines. A feature only included in the Pro version and developed to bypass antivirus software detection.
As stated by Cisco Talos researchers,
The inclusion of the benign code is likely to lower the level of suspicion of the code generated by MacroPack. Some anti-malware engines may be able to detect code as suspicious if the entropy of the code is high to indicate pseudo-randomly named variables, functions and obfuscated strings and the inclusion of non-malicious functions with low entropy may be used to lower the overall entropy of the generated code…Some documents containing the non-malicious code, attributed to MacroPack, also used a different technique for generating code. Instead of completely pseudo-randomly generated variable and function names, they consisted of combinations of randomly chosen real words…The MacroPack author indicated that he worked on a feature to generate names using Markov chains to create seemingly meaningful function and variable names…This functionality was included by the MacroPack author to improve the bypassing of anti-malware heuristic detections. We discovered a few samples using this technique to obfuscate the functionality of the code with meaningful-looking function and variable names.
Lure Themes
The first cluster of malicious documents analyzed by Cisco Talos researchers stemmed from IP addresses residing in China, Taiwan, and Pakistan in May and July 2024. The lure was a basic Word document with an enable content prompt that allowed the VBA macro code to be executed. The command-and-control IP address was traced back to Henan Province, China.
The malware payload deployed from these lures was Havoc, which is a post-exploitation command-and-control (C2) framework made for penetration testers, Red Teams, and Blue Teams. It's free and open-source on GitHub, written and maintained by Paul Ungur.
Havoc is split into two components, namely, the team server and the agent. The team server is responsible for connecting operators and tasking agents and parsing the callbacks, results of commands, uploaded files, and screenshots. The agent allows for remote control of a compromised system.
In another variant stemming from the same IP address in Henan Province, the malware payload was Brute Ratel, which has become a favorite alternate for Cobalt Strike amongst ransomware threat actors. In summary, Brute Ratel allows threat actors to carry out the following:
- Deploy agents (called badgers) onto target systems.
- Execute commands remotely.
- Perform lateral movement within a network.
- Establish persistence.
- Evade detection by endpoint security solutions.
In another cluster of malicious documents analyzed, the Pakistani military was used as a lure, with the malicious documents being traced back to two IP addresses in Pakistan. These lures were finally used to deliver Brute Ratel as well.
In one document, it was discovered that the Brute Ratel payload included a base64-encoded blob containing a JSON object created to be used with the Adobe Experience Cloud ecosystem for tracking marketing activities. One possible reason for this is that the document was part of a Red Team exercise, and Adobe Experience Cloud was used to track the target's engagement.
The last cluster of documents analyzed by researchers could be traced back to a Russian IP address. The malware payload in this instance was PhantomCore, which has been attributed to the Ukrainian hacktivist Head Mare, who allegedly targeted government organizations and companies in Russia with the goal of cyber espionage. PhantomCore is capable of installing additional malware modules, uploading data, and executing commands.
Cisco Talos researchers did not say that they could not identify with absolute certainty any threat group or threat actors behind the distribution of malicious documents. They also noted that these may indeed be Red Team activities, but this, too, could not be confirmed.
▼ Show Discussion