Hackers are abusing a legitimate tool used by organizations’ red teams to deliver malicious payloads, including a new variant of the remote access trojan (RAT) PhantomCore, which was created by a Ukrainian hacktivist group called Head Mare to run cyberespionage campaigns against government offices and businesses in Russia.

Red teams use the MacroPack payload generator framework in simulated cyberattacks to test the security of their organizations’ IT systems. However, threat actors also are using it for their nefarious operations, according to a researcher with Cisco’s Talos threat intelligence unit.

MacroPack was developed by French developer Emeric Nasi.

Talos detected several Microsoft Office documents that were uploaded to VirusTotal by multiple bad actors between May and July that were created by a version of MacroPack. The latest documents were uploaded from different sources from the United States, China, Russia, and Pakistan, among other countries, Vanja Svajcer, outreach researcher for Talos, wrote in a report this week.

The malicious filed delivered several payloads, including the Havoc post-exploitation command-and-control (C2) framework that was created to be used by red and blue penetration testing teams. Blue teams protect an organization’s systems and infrastructure from cyberattacks. Another payload was Brute Ratel, another C2 post-exploitation framework used by red teams.

PhantomCore, a backdoor written in the Go programming language, was the third malware detected on some of the Office documents. Some of the PhantomCore variants are obfuscated by a feature called garble in Go that makes it more difficult for researchers to analyze them.

Abusing Legitimate Software Tools

The abuse of MacroPack is part of a long-running practice by threat actors to abuse legitimate cybersecurity tools to deploy malware. The tools most often repurposed by hackers include Cobalt Strike, another piece of software used by internal security teams to simulate attacks, and remote monitoring and management (RMM) like AnyDesk, ConnectWise, and SimpleHelp. Bad actors abuse such software to run phishing campaigns and establish persistence, according to cybersecurity vendor SOCRadar.

“The issue of legitimate software abuse is not one that is likely to disappear anytime soon,” SOCRadar researchers wrote in a blog post last year. “As technology continues to advance, threat actors invariably find ways to exploit it for their own malicious ends.”

The continued embrace of cloud computing is an example of this trend, the researchers wrote.

“As more organizations migrate their data to the cloud, the infrastructure itself becomes a target for misuse,” they wrote. “Legitimate cloud-based tools, such as Dropbox and Google Drive, which were designed to facilitate data storage and sharing, are now being repurposed by attackers for nefarious activities.”

Federal law enforcement agencies also have warned about this trend. The FBI in November 2023 issued an advisory about ransomware groups using legitimate and third-party vendor tools. Earlier last year, an advisory by CISA, the National Security Agency (NSA), and others warned of threat groups abusing RMM tools.

VBA Macros Still a Problem

What Talos researchers found in VirusTotal were the Microsoft Office documents that were using Visual Basic for Applications (VBA) macros that while similar couldn’t be attributed to the same bad actor. To bolster security for Office users, Microsoft in 2022 blocked VBA macros, which were being abused in hundreds of cyber campaigns.

“The threat of VBA macros has diminished since Microsoft prevented the execution of macros in Microsoft Office documents downloaded from the internet, but not all users are using the latest up-to-date Office versions and can still be vulnerable,” Talos’ Svajcer wrote. “The VBA code in all the documents had similar characteristics, which we traced to the MacroPack framework.”

The VBA code in the malicious documents were similar, but the lure themes were different, which indicated that different hackers were responsible for the documents. However, a common feature in all documents were four non-malicious VBA code, which were not obfuscated and likely were included to decrease any suspicion of the code, he wrote.

Threats From Around the World

Some documents were from IP addresses in China, Pakistan, and Taiwan that include similar lures with a generic Word document instructing users to “enable content,” which would allow a VBA macro code to execute. The C2 IP addresses for the payloads were linked to the same autonomous system in the Henan province in China, indicating the documents were likely created by the same bad actor.

The documents delivered the Havoc and Brute Ratel payloads.

“The second cluster of documents, with Pakistani military-related themes, were uploaded to VirusTotal from two different locations in Pakistan,” Svajcer wrote. “We have elected to classify them together based on the military-related themes and a Brute Ratel DLL badger as the final payload.”

While most of the malicious documents found by Talos were Word documents, one tracked back to a Russian IP address was an Excel workbook, he wrote, adding that the VBA code also was different. Rather than creating a byte array of shellcode and loading it into the host process, there was more VBA code in the next stage. In addition, how it was executed also was unusual. It delivered the PhantomCore RAT.

The documents delivered from the United States was uploaded to VirusTotal a year earlier than the other ones, in March 2023 and seems to be an encrypted U.S. Nationwide Multistate Licensing System and Registry renewal form.

“We chose this document lure to demonstrate MacroPack’s usage of a Markov Chain-based name generator,” Svajcer wrote. “This document, similar to the lure uploaded from Russia, has multiple VBA stages.”

The researchers were unable to determine the final payload for that document.