Threat Actors Repurposing a Security Tool for Harmful Intentions

Cisco Talos researchers have discovered that cybercriminals are likely misusing a tool originally designed for red team security drills to spread malware.

You might be interested in: AMD Hacked Again: Sensitive Data Exposed

The tool in question is MacroPack, which is designed to create different types of files, including Office documents, Visual Basic scripts, and Windows shortcuts, for penetration testing and social engineering. Developed by Emeric Nasi, a French creator, MacroPack is meant for cybersecurity purposes but has been twisted for malicious use.

Malware Found in Files From Various Countries

The cybersecurity team identified several files on VirusTotal, uploaded from countries such as China, Pakistan, Russia, and the U.S., that were created using MacroPack. These files were used to deploy various malware payloads, including Havoc, Brute Ratel, and a new version of PhantomCore—a remote access trojan (RAT) associated with the hacktivist group Head Mare.

According to Talos researcher Vanja Svajcer, all the suspicious documents included four harmless VBA subroutines that didn’t trigger any malicious activity. These subroutines were visible across all the samples and had never been used for anything harmful.

Diverse Tactics and Themes

One notable finding is that the themes of these malicious documents vary greatly. Some documents contain generic instructions asking users to enable macros, while others mimic official-looking military communications. This variety suggests that different groups of attackers are behind the campaigns.

Additionally, some documents use advanced MacroPack features to avoid detection by anti-malware software. For example, attackers use Markov chains to disguise malicious code by generating seemingly legitimate function and variable names.

A Three-Step Attack Process

Between May and July 2024, a common attack pattern emerged. The attack starts with a tampered Office document containing MacroPack VBA code, which then decodes a second-stage payload to fetch and execute the final malware.

This evolution highlights how cybercriminals constantly adapt their tactics to bypass security measures and improve their chances of success.