Cyber assailants are presumably utilizing a tool intended for red team exercises to distribute malware, as per recent discoveries from Cisco Talos.
The software under scrutiny is a payload generation framework known as MacroPack, which is utilized to create Office documents, Visual Basic scripts, Windows shortcuts, and other formats for penetration testing and social engineering evaluations. It was created by French programmer Emeric Nasi.
The cybersecurity firm stated it detected artifacts uploaded to VirusTotal from China, Pakistan, Russia, and the United States that were all produced by MacroPack and employed to deliver various malicious code such as Chaos, Savage Cat, and a fresh version of ShadowCore, a remote access trojan (RAT) linked to a hacktivist organization known as Head Mare.
“A common element across all the malevolent documents we analyzed that grabbed our attention is the presence of four harmless VBA subroutines,” Talos researcher Vanja Svajcer stated.
“These subroutines were present in all the samples and were not hidden. They had also never been used by any other malicious subroutines or elsewhere in any documents.”
An important point to highlight here is that the bait themes depicted in these documents vary, going from generic subjects advising users to enable macros to official-looking documents that seem to emanate from military entities. This implies the participation of distinct malevolent entities.
Some of the documents have also been noticed leveraging advanced functionalities provided by MacroPack to evade anti-malware heuristic detections by masking the malevolent actions using Markov chains for creating seemingly significant functions and variable names.
The attack sequences, observed between May and July 2024, involve a three-step progression where a booby-trapped Office document containing MacroPack VBA code is sent, which then deciphers a subsequent-stage payload to eventually retrieve and perform the final malware.
The evolution indicates that malevolent entities are consistently enhancing strategies in reaction to interferences and adopting more sophisticated methods for code execution.
About Author
