Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads
Essential information
- Published
- 03/09/2024 20:00
- Modified
- 03/09/2024 20:20
- Tags
- 2024-09-03 brute ratel havoc macropack phantomcore vba macros
- Related entities
- 16 observables, 18 techniques (mitre), 3 malware, 6 others
Description
Multiple Microsoft Office documents generated by the MacroPack framework have been discovered, likely used by malicious actors to deploy various payloads. These documents, uploaded to VirusTotal between May and July 2024, originated from different countries including China, Pakistan, Russia, and the U.S. The payloads include Havoc and Brute Ratel post-exploitation frameworks, as well as a new variant of the PhantomCore remote access trojan. The MacroPack-generated code employs various obfuscation techniques to evade detection. The documents feature different lures, ranging from generic instructions to military-themed content. While the specific threat actors remain unidentified, the analysis reveals distinct clusters based on lure themes, payload types, and command and control infrastructure.