Cisco Talos recently discovered several related Microsoft Office documents uploaded to VirusTotal by various actors between May and July 2024 that were all generated by a version of a payload generator framework called “MacroPack.”MacroPack is a framework designated for Red Team exercises, but we assess, with moderate confidence, that malicious actors are also using it to deploy malicious payloads.Talos analyzed the most recent documents uploaded to VirusTotal from different sources and countries, including China, Pakistan, Russia and the U.S., uncovering connections between the payloads and motivations for creating these documents.These malicious files deliver multiple payloads, including the Havoc and Brute Ratel post-exploitation frameworks and a new variant of the PhantomCore remote access trojan (RAT).Talos was not able to attribute these activities to a single actor despite some similarities in tactics, techniques and procedures (TTPs). No Talos customers were affected by these attacks and there are no related activities in any Cisco product telemetry.
The threat of VBA macros has diminished since Microsoft prevented the execution of macros in Microsoft Office documents downloaded from the internet, but not all users are using the latest up-to-date Office versions and can still be vulnerable.
As a part of regular hunting exercises for malicious documents similar to the ones used by UNC1151, we discovered several suspicious documents using VBA macros that were similar but could not be attributed to the same threat actor.
Although the VBA code was similar — using obfuscated variable and function names and one or more layers of obfuscated code in their following stages — the lure themes were different, ranging from generic topics that instruct users to enable VBA macros, to official-looking documents and letters that appear to come from military organizations, pointing t ..
Support the originator by clicking the read the rest link below.
