“Red Teaming Tool Misused: Threat Actors Deploy MacroPack for Malware Delivery, Reveals Cisco Talos”
Exploring the Misuse of Red Teaming Tools: How MacroPack Became a Vector for Malware Distribution
In the ever-evolving landscape of cybersecurity, a worrying trend has emerged where tools designed for security testing are being repurposed by cybercriminals to launch attacks. A recent investigation by Cisco Talos has unveiled that MacroPack, a tool originally created for red teaming exercises, is now being used to distribute malware. This revelation underscores a significant shift in how threat actors operate, adapting and weaponizing legitimate resources to serve their malicious intents.
MacroPack, developed by French developer Emeric Nasi, is a payload generation framework that enables the creation of various file types such as Office documents, Visual Basic scripts, and Windows shortcuts. These files are typically used in penetration testing and social engineering assessments to simulate cyber attacks and test system defenses. However, it appears that the benign intent behind MacroPack’s creation is being overshadowed by its misuse.
The findings from Cisco Talos are based on artifacts uploaded to VirusTotal, a popular online service that analyzes suspicious files and URLs. These artifacts originated from several countries including China, Pakistan, Russia, and the U.S., all of which were generated using MacroPack. The payloads delivered through these documents were identified as Havoc, Brute Ratel, and a new variant of PhantomCore—a remote access trojan (RAT) linked to the hacktivist group named Head Mare.
One intriguing aspect of these malicious documents is their use of four non-malicious VBA subroutines. According to Talos researcher Vanja Svajcer, these subroutines were present in all analyzed samples and were neither unclear nor previously used in any malicious activities. This could indicate a new tactic by cybercriminals to avoid detection by blending in with benign code.
The diversity in the themes of these luring documents is also notable. They range from generic prompts urging users to enable macros to more sophisticated impersonations of military organization communications. This variety not only points to the involvement of multiple threat actors but also highlights their increasing sophistication in crafting believable phishing attempts.
Some documents have exploited advanced features of MacroPack to bypass loosely defined detections by anti-malware solutions. By using Markov chains, these documents generate seemingly meaningful functions and variable names that conceal the underlying malicious activities. This method demonstrates an alarming level of intricacy in evading standard security measures.
The attack methodology observed involves a three-step process. Initially, a victim receives a unsuspecting Office document containing MacroPack VBA code. Upon activation, this code decodes a next-stage payload which then proceeds to fetch and execute the final malware. This sequence not only shows the strategic planning involved but also the relentless pursuit of cybercriminals to refine their attack vectors.
This development is particularly concerning as it highlights a broader issue within cybersecurity: the dual-use dilemma of security tools. While tools like MacroPack are invaluable for security professionals in testing and strengthening defenses, they also present a potent weapon in the hands of cyber adversaries when misused.
As we move forward, it’s imperative for the cybersecurity community to remain vigilant and proactive in addressing these challenges. The misuse of red teaming tools like MacroPack for malicious purposes is a stark reminder that our defenses must evolve in tandem with the tactics of those seeking to undermine them. The ongoing battle against cyber threats demands not only technological solutions but also a comprehensive understanding of how these tools can be turned against us.
