Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Macro Malware Comes to macOS

After becoming a common occurrence on Windows-based computers over the past few years, Malware that abuses macro-enabled Microsoft Office documents to spread is now targeting macOS users too. 

After becoming a common occurrence on Windows-based computers over the past few years, Malware that abuses macro-enabled Microsoft Office documents to spread is now targeting macOS users too. 

Malicious macros in Office documents have been used to spread malware for over a decade, but their use dropped significantly after Microsoft disabled macros by default in Office 2007. A couple of years ago, however, the use of such macros recommenced, as cybercriminals started leveraging various social engineering techniques to trick users into enabling the macros.

Until now, only Windows users were targeted in such attacks, but it appears that actors building malware for Mac systems also decided to adopt the technique recently. According to Patrick Wardle, Director of Research at Synack, such an attack was recently carried out via a Word document named “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace.docm.”

By using clamAV’s sigtool to extract embedded macros, the researcher stumbled upon Python code designed to perform a series of checks on the potential victim’s machine before it fetches and executes the malicious payload. As soon as the user opens the document in Word for Mac with macros enabled, the Fisher function is automatically executed.

The Fisher function was observed to decode a base64 chunk of data and then execute it via Python. The Python code, which appears to have been copied from the open-source EmPyre project, checks the machine to make sure LittleSnitch is not running, downloads the second-stage payload (from hxxps[:]//[.]asp), then RC4 decrypts this payload and executes it.

While EmPyre is a known open-source multi-stage post-exploitation agent “built on cryptologically-secure communications,” it’s unknown what the second-stage payload included, as the file wasn’t available during analysis. While it might have been another EmPyre component, this payload could have been something entirely different as well.

“The second-stage component of Empyre is the persistent agent that affords a remote attacker continuing access to an infected host,” the researcher says. For persistence, cronjob, dylib hijack, launch daemon, or login hook are likely used.

“The persistent component of EmPyre can also be configured to run a wide range of EmPyre modules. These modules allow the attacker to perform a myriad of nefarious actions such as enabling the webcam, dumping the keychain, and accessing a user’s browser history,” the researcher notes.

The IP associated with the securitychecking(.)org website that hosts the malicious payload appears to be geolocated in Russia and was previously associated with phishing.

While the malware used in this attack isn’t particularly advanced, as it relies on user interaction to open the malicious document in Microsoft Word and enable macros, it also uses an open-source implant that is likely to be easily detected. However, the use of social engineering is noteworthy, especially since it exploits the weakest link in the chain, namely the human element.

“And moreover, since macros are ‘legitimate’ functionality (vs. say a memory corruption vulnerability), the malware’s infection vector doesn’t have to worry about crashing the system nor being ‘patched’ out,” the researcher concludes.

Related: Mac OS Malware, Web-based Threats Decline: Report

Related: Site of BitTorrent App “Transmission” Again Used to Deliver OS X Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...