Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads

NetmanageIT OpenCTI - opencti.netmanageit.com

Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads



SUMMARY :

Multiple Microsoft Office documents generated by the MacroPack framework have been discovered, likely used by malicious actors to deploy various payloads. These documents, uploaded to VirusTotal between May and July 2024, originated from different countries including China, Pakistan, Russia, and the U.S. The payloads include Havoc and Brute Ratel post-exploitation frameworks, as well as a new variant of the PhantomCore remote access trojan. The MacroPack-generated code employs various obfuscation techniques to evade detection. The documents feature different lures, ranging from generic instructions to military-themed content. While the specific threat actors remain unidentified, the analysis reveals distinct clusters based on lure themes, payload types, and command and control infrastructure.

OPENCTI LABELS :

brute ratel,havoc,phantomcore,vba macros,macropack


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads