SecuriTricks - Attack Report

External References

https://blog.talosintelligence.com/

https://otx.alienvault.com/

Description

Multiple Microsoft Office documents generated by the MacroPack framework have been discovered, likely used by malicious actors to deploy various payloads. These documents, uploaded to VirusTotal between May and July 2024, originated from different countries including China, Pakistan, Russia, and the U.S. The payloads include Havoc and Brute Ratel post-exploitation frameworks, as well as a new variant of the PhantomCore remote access trojan. The MacroPack-generated code employs various obfuscation techniques to evade detection. The documents feature different lures, ranging from generic instructions to military-themed content. While the specific threat actors remain unidentified, the analysis reveals distinct clusters based on lure themes, payload types, and command and control infrastructure.

Date

Published	Created	Modified
Sept. 3, 2024, 8 p.m.	Sept. 3, 2024, 8 p.m.	Sept. 3, 2024, 8:20 p.m.

Indicators

e1ee389b2af2d3a0eff4aa14f2ac3de6cdd4a73de80b5d450a44ec69cd332dbf

cbafcf65b40d95e4699859a523ef4d300c57f93de6fbc6e194d1b922e9f3aba6

b5608e73eb460944d9b523a940d94c95d3eb66d6a8efe82462e2589ccfaadb82

93df1d60edd6b656b08e0fc0d31b330fd275f5e1a9069dfbb769e7ba217fcb6e

80731db97c33b50cd3d8727decec7e6a12bbf5f671527648c4cbb559fabc3074

2c0a66c6370b4aa88ab3805d520e868cbc513b43119958257a72c9ff58ef241c

2131de0cb705afa52f88ef70a87ee6c8662d38db0138efc4940218ee62d8a296

0cf1e59bae9dba7fbbf6ee6a36ca6bdb8fa0ac002b8cf824bd0888789a981c57

122.114.166.92

122.114.10.239

122.114.141.214

Attack Patterns

Brute Ratel

PhantomCore

Havoc

T1027.001

T1568.002

T1102.002

T1132.001

T1573.002

T1573.001

T1059.005

T1027.002

T1497

T1071.001

T1204.002

T1082

T1057

T1566.001

T1083

T1055

T1140

T1027

Additional Informations

Defense

Government

China

Pakistan

United States of America

Russian Federation

Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads

Tags