Attackers abuse red teaming tool to deploy Brute Ratel

Cyber crime and security vector concept showing a laptop, credit card and open padlock.

(Image credit: Shutterstock / Jozsef Bagota)

Hackers are using the MacroPack framework to generate weaponized Microsoft Office documents. These documents, in turn, deploy different malware to their targets, including Blue Ratel, PhantomCore, and Havoc.

This is according to a new report from cybersecurity researchers Cisco Talos. In a detailed analysis published earlier this week, the researchers said they spotted what appear to be multiple threat actor groups abusing MacroPack in their malicious campaigns.

The MacroPack framework is a legitimate tool used to create and manipulate Microsoft Office documents with embedded macros, often used in cybersecurity contexts for penetration testing and red teaming. It allows users to automate the generation of documents that can execute payloads or scripts, which can be exploited by attackers to deliver malicious code.

MacroPack Abuse

As explained in the report, the researchers took multiple files uploaded to the VirusTotal database, and came to the conclusion that at least four different groups are abusing MacroPack. One is from China, Taiwan, and Pakistan, and it was active between May and July this year, distributing Brute Ratel and Havoc. The C2 servers for this campaign were located in Henan, China. One is in Pakistan, impersonating the Pakistan Air Force, and distributing Brute Ratel. One is in Russia, dropping PhantomCore, and the last one is in the US, and was deploying a previously unknown malware labeled mshta.exe.

Brute Ratel is a sophisticated red-teaming and adversary simulation tool designed for offensive cybersecurity professionals. It helps simulate advanced persistent threat (APT) attacks by mimicking real-world tactics, techniques, and procedures (TTPs) used by cyber adversaries. The tool is used to test and improve the defenses of organizations by evaluating their security posture against complex attacks. As such, it is seen as an alternative to Cobalt Strike, another legitimate tool which was abused to the point that antivirus programs started flagging it.

Via BleepingComputer

More from TechRadar Pro

BlackCat ransomware could be about to get a whole lot nastier
Here's a list of the best firewalls around today
These are the best endpoint security tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Latest

Sihoo M76A-M101 ergonomic office chair review

See more latest ►

MacroPack Abuse

More from TechRadar Pro

Are you a pro? Subscribe to our newsletter

Most Popular