A common feature in all of the malicious documents Cisco Talos took apart is the existence of four non-malicious VBA subroutines. These subroutines appeared in all the samples and were not obfuscated. The inclusion of the benign code is likely to lower the level of suspicion of the code generated by MacroPack, Talos researchers suspect.Â
Is this a new malware campaign by a threat actor? Maybe not. MacroPack is a framework created for Red Teams to test the defences of willing organizations, so the report says it is possible the examples it found were part of red teaming exercises. In fact, the researchers were able to confirm some of the samples were part of Red Team activities. Others, however, contained certain tactics and techniques that seem malicious.
At the very least, Cisco said, infosec pros should take the discovery as a reminder to update their Office suites to the latest version.