MacroPack (Dropper) – Malware

Overview

MacroPack is a versatile and powerful payload generation framework that was originally developed for Red Team exercises, designed to facilitate the creation and deployment of various types of payloads. Despite its intended use in legitimate security assessments, it has recently been co-opted by threat actors for malicious purposes. The framework’s ability to generate multiple types of payloads, including Remote Access Trojans (RATs) and post-exploitation frameworks, makes it an attractive tool for cybercriminals. MacroPack can produce highly obfuscated documents, including Microsoft Office files, that exploit vulnerabilities in Office’s VBA macro functionality, enabling attackers to deploy malware and establish control over compromised systems.

What makes MacroPack particularly concerning is its flexibility and ease of use. The framework can generate payloads with minimal effort, allowing threat actors to quickly set up malicious implants that can bypass traditional security measures. MacroPack’s use of obfuscation techniques, such as function and variable renaming, the removal of surplus characters, and encoding of payload strings, helps to evade detection by anti-malware software. Additionally, the inclusion of non-malicious code, often derived from public sources like VBA examples or programming books, serves to further lower the overall entropy of the code, making it less suspicious to heuristic-based detection systems.

Targets

Individuals

Information

How they operate

At its core, MacroPack is designed to generate malware-laden Microsoft Office documents, particularly Word files, that utilize Visual Basic for Applications (VBA) macros. These macros are embedded in the document, with the intention of executing malicious code once the user enables the macros. When a victim opens a document generated by MacroPack, they are typically presented with a prompt asking them to “enable content” to view the document’s content. Once enabled, the embedded VBA macro runs, initiating the malware payload’s delivery and execution. This social engineering technique, which relies on the user’s trust in seemingly benign documents, is the first step in the malware’s attack chain.

One of the key features of MacroPack is its ability to heavily obfuscate the payloads it generates, making detection by traditional security tools more difficult. The framework uses a variety of techniques to hide the true nature of the malicious code. For instance, function and variable names are randomly renamed, strings are encoded, and surplus spaces are removed, all of which make it challenging for signature-based detection methods to identify the threat. The payload’s code is also obfuscated with multiple layers of encryption, which is a common tactic to evade heuristic detection systems. Furthermore, MacroPack employs a function that deobfuscates the payload string during execution, ensuring that the malicious code remains concealed until the final stages of the attack.

Another advanced technique used by MacroPack is the inclusion of non-malicious VBA subroutines in the generated documents. These subroutines, which are often taken from publicly available sources like programming books or VBA example websites, serve to lower the overall entropy of the code. This makes the malicious code appear less suspicious to anti-malware engines, which rely on entropy analysis to detect malicious activity. The inclusion of benign code helps mask the presence of the malicious payload, thus reducing the likelihood of detection by more sophisticated detection systems. Some of these non-malicious subroutines are commonly used in legitimate macros and can further lower the alarm level when scrutinized by security tools.

Once the payload is executed, it typically initiates a multi-stage infection process. In some instances, the payload is designed to connect to a command and control (C2) server, where it can receive further instructions from the attacker. This communication is usually conducted over common protocols such as HTTP or HTTPS, which helps to blend the malicious traffic with regular web traffic, making it harder to detect. Depending on the specific payload deployed, attackers can achieve a variety of objectives, including system control, data exfiltration, or credential theft. For example, MacroPack is known to deploy payloads like the Brute Ratel and Havoc post-exploitation frameworks, which allow the attacker to maintain persistent access to the compromised system, escalate privileges, and move laterally across the network.

The versatility of MacroPack lies in its ability to deliver a wide range of malicious payloads. The framework allows attackers to customize the types of implants and payloads generated, tailoring their attack based on the specific goals of the campaign. Once a victim’s system is compromised, these payloads enable the attacker to perform activities such as remote monitoring, keylogging, and file manipulation. The ability to generate customized payloads quickly and efficiently makes MacroPack a powerful tool for threat actors looking to launch targeted attacks, and its widespread use underscores the importance of robust security practices, such as disabling macros in untrusted documents and regularly updating anti-malware software.

In conclusion, MacroPack represents a significant threat due to its technical sophistication and the flexibility it offers malicious actors. Its ability to generate highly obfuscated payloads, utilize social engineering techniques, and bypass traditional detection methods makes it a formidable tool for cybercriminals. As threat actors continue to adapt and evolve their tactics, the use of tools like MacroPack serves as a reminder of the ongoing need for organizations to remain vigilant and proactive in their cybersecurity efforts. Understanding how such malware operates on a technical level is crucial for developing effective detection and defense strategies against this growing threat.

MITRE Tactics and Techniques

Initial Access (TA0001):

Spearphishing Attachment (T1566.001): MacroPack typically uses Microsoft Office documents with embedded VBA macros to deliver its payload. The documents are often distributed through phishing emails, where the attacker lures the victim into enabling macros, which triggers the execution of malicious code.

Execution (TA0002):

User Execution (T1204): The VBA macros in the documents generated by MacroPack rely on the user enabling macros, which is a key method for execution. The attacker depends on social engineering techniques to convince the victim to execute the malicious payload by enabling macros in a seemingly harmless document.

Command and Scripting Interpreter (T1059): MacroPack can also use scripting languages like VBA and PowerShell to execute its payload on the victim’s machine once the macro is enabled.

Persistence (TA0003):

Boot or Logon Autostart Execution (T1547): MacroPack payloads may establish persistence by modifying system settings or creating scheduled tasks to ensure the malware runs every time the system starts or a user logs in. The exact method depends on the type of payload used, such as Brute Ratel or Havoc, which are designed to maintain control over the infected system.

Privilege Escalation (TA0004):

Exploitation for Privilege Escalation (T1068): Although not always present, some MacroPack-generated payloads can be used to exploit vulnerabilities on the target machine to elevate privileges, providing the attacker with greater control over the system.

Defense Evasion (TA0005):

Obfuscated Files or Information (T1027): MacroPack payloads are heavily obfuscated to evade detection. This includes renaming variables and functions, removing spaces, and encoding strings. These obfuscation techniques make it difficult for security tools to identify malicious activity.

Timestomping (T1070.006): In some cases, MacroPack-generated payloads may use timestomping techniques to modify file timestamps, further helping to avoid detection by security solutions that monitor file creation or modification times.

Credential Access (TA0006):

Credential Dumping (T1003): Some MacroPack payloads, such as those related to the Brute Ratel framework, could be used to gather credentials from the compromised system, enabling further exploitation or lateral movement within the network.

Command and Control (TA0011):

Application Layer Protocol (T1071): Once the payload is executed, the malware often connects to a command-and-control (C2) server to receive further instructions or to exfiltrate data. Common protocols used for C2 communication include HTTP and HTTPS, which are commonly used to disguise malicious traffic as legitimate web traffic.

Impact (TA0040):

Data Manipulation (T1565): In certain cases, the attackers may manipulate or steal data during the exploitation phase, depending on the type of payload deployed and the specific goals of the attack.

References

• Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads