Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads
Sept. 3, 2024, 8:20 p.m.
Tags
External References
Description
Multiple Microsoft Office documents generated by the MacroPack framework have been discovered, likely used by malicious actors to deploy various payloads. These documents, uploaded to VirusTotal between May and July 2024, originated from different countries including China, Pakistan, Russia, and the U.S. The payloads include Havoc and Brute Ratel post-exploitation frameworks, as well as a new variant of the PhantomCore remote access trojan. The MacroPack-generated code employs various obfuscation techniques to evade detection. The documents feature different lures, ranging from generic instructions to military-themed content. While the specific threat actors remain unidentified, the analysis reveals distinct clusters based on lure themes, payload types, and command and control infrastructure.
Date
Published: Sept. 3, 2024, 8 p.m.
Created: Sept. 3, 2024, 8 p.m.
Modified: Sept. 3, 2024, 8:20 p.m.
Indicators
e1ee389b2af2d3a0eff4aa14f2ac3de6cdd4a73de80b5d450a44ec69cd332dbf
cbafcf65b40d95e4699859a523ef4d300c57f93de6fbc6e194d1b922e9f3aba6
b5608e73eb460944d9b523a940d94c95d3eb66d6a8efe82462e2589ccfaadb82
93df1d60edd6b656b08e0fc0d31b330fd275f5e1a9069dfbb769e7ba217fcb6e
80731db97c33b50cd3d8727decec7e6a12bbf5f671527648c4cbb559fabc3074
2c0a66c6370b4aa88ab3805d520e868cbc513b43119958257a72c9ff58ef241c
2131de0cb705afa52f88ef70a87ee6c8662d38db0138efc4940218ee62d8a296
0cf1e59bae9dba7fbbf6ee6a36ca6bdb8fa0ac002b8cf824bd0888789a981c57
122.114.166.92
122.114.10.239
122.114.141.214
share.dedesignanddev.com
td.tula-steel.ru
dns2.s-logistics.net
dns1.s-logistics.net
api.wilbderreis.ru
Attack Patterns
Brute Ratel
PhantomCore
Havoc
T1027.001
T1568.002
T1102.002
T1132.001
T1573.002
T1573.001
T1059.005
T1027.002
T1497
T1071.001
T1204.002
T1082
T1057
T1566.001
T1083
T1055
T1140
T1027
Additional Informations
Defense
Government
China
Pakistan
United States of America
Russian Federation