Threat Research

“Threat Actors Deploy Brute Ratel, Havoc, and PhantomCore Payloads via MacroPack”

Talos

Talos identified VirusTotal-uploaded Microsoft Office documents generated by MacroPack that deliver Havoc, Brute Ratel, and PhantomCore payloads across multiple samples. While tactics are similar across samples, investigators could not attribute the activity to a single actor, and no Talos customers were affected.


#MacroPack #Havoc #BruteRatel #PhantomCore #UNC1151 #VirusTotal #MicrosoftOffice #VBA

Keypoints

  • MacroPack framework is used to generate malicious Microsoft Office documents.
  • Documents uploaded from multiple countries: China, Pakistan, Russia, and the United States.
  • Payloads include Havoc, Brute Ratel frameworks, and PhantomCore RAT.
  • Similarities in tactics but no attribution to a single actor.
  • No Talos customers were affected by these attacks.
  • Threat from VBA macros persists for users with outdated Office versions.
  • MacroPack includes non-malicious code to evade detection.

MITRE Techniques

  • [T1059.003] Command and Scripting Interpreter – Brief description of how it was used. Quote relevant content using bracket (‘Malicious documents execute VBA macros to run commands.’)
  • [T1547.001] Startup Items: Registry Run Keys / Startup Folder – Brief description of how it was used. Quote relevant content using bracket (‘Payloads establish persistence by executing on startup.’)
  • [T1071.001] Application Layer Protocol: Web Protocols – Brief description of how it was used. Quote relevant content using bracket (‘Payloads communicate with C2 servers over HTTP/HTTPS.’)
  • [T1041] Exfiltration Over Command and Control Channel – Brief description of how it was used. Quote relevant content using bracket (‘Payloads may exfiltrate data back to the C2 server.’)

Indicators of Compromise

  • [Hash] File Hash – 0cf1e59bae9dba7fbbf6ee6a36ca6bdb8fa0ac002b8cf824bd0888789a981c57 (Havoc demon), 93df1d60edd6b656b08e0fc0d31b330fd275f5e1a9069dfbb769e7ba217fcb6e (Brute Ratel loader)
  • [IP] 122.114.141.214, 122.114.10.239, 122.114.166.92 (Havoc/Brute Ratel C2 endpoints)
  • [Domain] dns1.s-logistics.net, dns2.s-logistics.net, api.wilbderreis.ru (Brute Ratel C2 domains)
  • [URL] https://d3qrqtfazjdt5i.cloudfront.net/HubsExtension/Resource/Type/c8d984.php, https://d3qrqtfazjdt5i.cloudfront.net/HubsExtension/Browse/resourceType/id.php
  • [URL] http://td.tula-steel.ru/en/image.jpg, https://share.dedesignanddev.com:443/datadoc

Read more: https://blog.talosintelligence.com/threat-actors-using-macropack/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint