Threat Actors Use MacroPack to Spread Havoc, Brute Ratel, and PhantomCore

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include threat actors using MacroPack to spread havoc, Chinese espionage using VS code vulnerabilities to target southeast Asian govts, SonicWall urging its users to patch a firewall vulnerability, Payment gateway provider Slim CD faced a data breach exposing the information of nearly 1.7 million users, Ransomware group RansomHub abuses Kaspersky’s TDSSKiller tool. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly. 

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats. 

1. Threat Actors Use MacroPack to Spread Havoc, Brute Ratel, and PhantomCore 

Researchers have found that threat actors are abusing the MacroPack payload generation framework, originally for red teaming, to deliver malware like Havoc, Brute Ratel, and PhantomCore. MacroPack creates malicious Office documents, Visual Basic scripts, and Windows shortcuts, employing obfuscation techniques such as function renaming and payload encoding to evade detection. These attacks have been observed in China, Pakistan, Russia, and the U.S., involving the deployment of remote access trojans (RATs) and command-and-control frameworks.

Researchers identified Office documents made with MacroPack, linked to payloads including a new PhantomCore variant. The documents use unique VBA subroutines and advanced obfuscation methods, hinting at a shared origin. Lure themes varied from generic macro activation prompts to fake military documents, suggesting multiple threat actors. Brute Ratel, a C2 framework similar to Cobalt Strike, enables attackers to deploy agents, execute remote commands, move laterally, establish persistence, and evade detection.

From May to July 2024, researchers observed attacks starting with MacroPack VBA code, followed by payload decoding and final malware execution. Key recommendations are to disable macros by default, scan emails and attachments for malicious content, and use sandboxing to analyze suspicious files.

2. Chinese Cyber Espionage Targets SEA Using Visual Studio Code Vulnerabilities

Cybersecurity experts have identified a new malware campaign using Google Sheets as a command-and-control (C2) platform, targeting over 70 organizations globally in sectors like insurance, finance, healthcare, government, and more. The attackers impersonate tax authorities from Europe, Asia, and the U.S., using a custom tool named Voldemort to collect data and deploy additional payloads.

Attackers craft phishing emails that mimic national tax authorities, leading victims to malicious landing pages hosted on InfinityFree with Google AMP Cache URLs. If accessed via a Windows browser, victims are redirected to a search-ms URI, leading to a LNK or ZIP file disguised as a PDF hosted on a WebDAV/SMB share. Opening this file executes a Python script that profiles the victim’s system while displaying a decoy PDF. The script also downloads a legitimate Cisco WebEx executable and a malicious DLL, resulting in the deployment of Voldemort via DLL side-loading.

Voldemort, a C-based backdoor, uses Google Sheets as its C2 server, sending stolen data to specific spreadsheet cells and receiving commands through Google’s API, making it highly resilient and stealthy. The use of Google Sheets in enterprise environments enhances its evasion capabilities by blending with legitimate traffic.

To counter this threat, organizations should strengthen email security with advanced filtering to block phishing emails, monitor network traffic for unusual connections to cloud services like Google Sheets, and restrict the execution of macros, scripts, and protocols like search-ms that can be exploited by malware. These measures are critical to defending against such sophisticated attacks.

3. New Cicada Ransomware Variant Targets Linux-Based VMware ESXi Servers

A ransomware-as-a-service (RaaS) operation is impersonating the legitimate Cicada 3301 organization, with 19 victims listed on its extortion site. The new ransomware variant, Cicada3301, emerged in June 2024 and targets vulnerabilities in small to medium-sized businesses (SMBs). Written in Rust, it operates on both Windows and Linux/ESXi platforms, making it highly versatile. Cicada3301 uses advanced techniques similar to BlackCat, such as ChaCha20 encryption and system utilities like fsutil, IISReset.exe, and wevtutil to disrupt recovery processes and erase traces of its activity. It also employs PsExec for remote command execution and terminates processes related to backup and recovery, hindering data restoration. The ransomware targets 35 file extensions, including sql, doc, xls, and pdf, to encrypt valuable enterprise data. Additionally, it exploits vulnerabilities in signed drivers using EDR SandBlast, a tactic previously used by BlackByte, to evade endpoint detection and response (EDR) systems.

To mitigate the threat, it is critical to regularly update systems and software to patch vulnerabilities, utilize advanced endpoint protection solutions to detect and block ransomware behaviors, and maintain frequent backups of critical data while testing recovery processes to ensure effectiveness against ransomware attacks. Immediate implementation of these measures is recommended to defend against this evolving threat.

4. Malware Disguised as Palo Alto GlobalProtect VPN Targets Middle Eastern Users

Cybersecurity researchers have uncovered a sophisticated malware campaign targeting users in the Middle East by masquerading as the Palo Alto Networks GlobalProtect VPN tool. The malware executes remote PowerShell commands, exfiltrates data, encrypts communications, and evades detection by mimicking legitimate VPN traffic.

The campaign operates through a two-stage process starting with installing the primary backdoor, GlobalProtect.exe. Once deployed, the backdoor communicates with a command-and-control (C2) server, signaling the attackers and exfiltrating system details such as IP address, OS, username, and machine name via configuration files RTime.conf and ApProcessId.conf. The malware uses evasion techniques like setup.exe binary checking specific file paths before execution and conducting beaconing through the Interactsh open-source project. The C2 server’s URL is crafted to resemble a legitimate VPN portal of a company in Sharjah, U.A.E., blending the malware’s activity with normal network traffic to enhance stealth.

To defend against this threat, it is crucial to educate users on phishing risks and verify the authenticity of software downloads, especially for security tools like VPNs. Implement advanced endpoint protection solutions that can detect and mitigate sophisticated threats, such as remote PowerShell command execution. Additionally, segment critical network assets to limit malware’s lateral movement and continuously monitor network traffic for unusual activities, particularly connections to unfamiliar VPN portals or C2 servers. Keeping software up-to-date and restricting access to unnecessary services will further reduce potential vulnerabilities.

5. Veeam Patches 18 Vulnerabilities, Including 5 Critical Flaws

Veeam has released security updates to address 18 vulnerabilities across its software products, including five critical flaws that could lead to remote code execution, and 13 high-severity issues involving privilege escalation and MFA bypass. The critical vulnerabilities include CVE-2024-40711 in Veeam Backup & Replication, which allows remote code execution without authentication, CVE-2024-42024 in Veeam ONE that enables remote code execution using Agent service account credentials, CVE-2024-42019 in Veeam ONE that exposes the NTLM hash of the Veeam Reporter Service account, CVE-2024-38650 in Veeam Service Provider Console (VPSC) allowing attackers to retrieve the service account’s NTLM hash, and CVE-2024-39714 in VPSC that lets low-privileged users upload arbitrary files, leading to remote code execution.

Vulnerable versions include Veeam Backup & Replication 12.2, Veeam Agent for Linux 6.2, Veeam ONE v12.2, Veeam Service Provider Console v8.1, Veeam Backup for Nutanix AHV Plug-In v12.6.0.632, and Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-In v12.5.0.299.

It is crucial to update all affected Veeam products to the latest patched versions, regularly review and apply security patches promptly, and enable additional monitoring to detect any suspicious activities involving privilege escalation or unauthorized access. Immediate action is recommended to prevent exploitation of these vulnerabilities.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider