Recent findings from Cisco Talos reveal that threat actors are misusing MacroPack, a tool originally designed for red teaming, to distribute malware.

MacroPack, developed by French programmer Emeric Nasi, is a payload generation framework intended for creating Office documents, Visual Basic scripts, and other formats used in penetration testing and social engineering exercises. However, this legitimate tool has been co-opted by cybercriminals to deliver malicious payloads, including Havoc, Brute Ratel, and a new variant of PhantomCore, a remote access trojan (RAT) associated with the hacktivist group Head Mare. These malicious artifacts have been traced to sources in China, Pakistan, Russia, and the U.S.

A noteworthy pattern observed by Talos researchers, including Vanja Svajcer, is the presence of four non-malicious VBA subroutines in all the compromised documents. These subroutines, which were consistently unencrypted and unused in other malicious contexts, appear to be a unique feature of the MacroPack-generated files. The documents themselves use a range of lure themes, from generic prompts to enable macros to official-looking documents mimicking military communications. This variety in themes indicates the involvement of multiple distinct threat actors leveraging MacroPack's capabilities to bypass security measures.

The attack sequences observed between May and July 2024 typically involve a three-step process: sending a tainted Office document embedded with MacroPack VBA code, which decodes a second-stage payload to fetch and execute the final malware. This evolving tactic highlights how cybercriminals are continually adapting their methods to evade detection and improve their chances of successful code execution. The sophisticated use of MacroPack, particularly its advanced features like Markov chains to obscure malicious intent, underscores the ongoing arms race between threat actors and cybersecurity defenses.