Cisco Talos researchers have uncovered a series of malicious Microsoft Office documents uploaded to VirusTotal between May and July 2024, which were generated using a known Red Team tool called MacroPack.

Originally designed for penetration testers, MacroPack is increasingly being used by cybercriminals to deploy sophisticated malware payloads.

While Talos researchers observed similar tactics, techniques, and procedures (TTPs) across the documents, they were unable to attribute the activity to a single actor. The documents were uploaded from a range of countries, including China, Pakistan, Russia, and the United States, suggesting involvement from multiple threat actors.

MacroPack, a popular framework for creating payloads, is marketed for Red Team exercises. However, it appears that malicious actors have  weaponized this tool. MacroPack allows users to generate various payloads embedded in Office-supported file formats, scripting files, and shortcuts, making it an attractive choice for attackers.

The professional version of the framework includes advanced capabilities like anti-malware bypass and anti-reversing features, which add resilience to the payloads. While the tool’s creators maintain that it is for ethical use only, there is little control over who uses the free version.

Talos' analysis of the documents uploaded to VirusTotal revealed several malicious payloads, including Havoc, Brute Ratel, and a new variant of the PhantomCore remote access trojan (RAT). Havoc and Brute Ratel are post-exploitation frameworks typically used by Red Teams, but they have also been abused by threat actors. PhantomCore, which was recently linked to Ukrainian hacktivist group Head Mare, has been used for cyber espionage targeting Russian government entities.

The malicious documents shared several common characteristics. They employed obfuscated VBA macros, a tactic to evade detection, with multiple layers of code to execute various payloads. The files ranged from generic "enable content" prompts to more sophisticated lures, such as official-looking military correspondence.

One cluster of documents, uploaded from China, Taiwan, and Pakistan, delivered the Havoc implant as a final payload. Another cluster, including a document uploaded from Russia, contained a PhantomCore backdoor. The latter stood out for its unusual execution methods like using an Excel workbook rather than a Word document.

Although the Talos team was able to connect the malware delivery techniques and payloads to MacroPack, it was unable to attribute the activity to a single threat actor or group. The diversity of document lures, geographic origins, and motivations suggests that different actors may be involved.

Some of the discovered documents appeared to be part of legitimate Red Team exercises, as confirmed through analysis. However, others were clearly intended for malicious purposes, particularly those linked to espionage and cyberattacks.