Several threat operations have been exploiting the sophisticated MacroPack framework for Red Team exercises to facilitate the delivery of the Brute Ratel, Havoc, and PhantomCore payloads, according to BleepingComputer.
Attacks from a China-based command-and-control server involved MacroPack-based documents uploaded from China-, Taiwan-, and Pakistan-based IP addresses that ordered the installation of macros that facilitated Brute Ratel and Havoc distribution between May and July, an analysis from Cisco Talos revealed. Brute Ratel was also deployed through documents with Pakistani military lures, while PhantomCore was spread through a Russian IP-uploaded Excel workbook that enabled multi-stage VBA code execution as part of an espionage operation. Multi-stage VBA code was also discovered within an encrypted NMLS form-spoofing document uploaded from a U.S.-based IP last March that sought to launch an unknown payload. All of the discovered documents were noted by researchers to have been created with MacroPack due to their presence of Markov-chain-based function and variable renaming, comment removal, and string encoding capabilities.