After becoming a common occurrence on Windows-based computers over the past few years, Malware that abuses macro-enabled Microsoft Office documents to spread is now targeting macOS users too.
Malicious macros in Office documents have been used to spread malware for over a decade, but their use dropped significantly after Microsoft disabled macros by default in Office 2007. A couple of years ago, however, the use of such macros recommenced, as cybercriminals started leveraging various social engineering techniques to trick users into enabling the macros.
Until now, only Windows users were targeted in such attacks, but it appears that actors building malware for Mac systems also decided to adopt the technique recently. According to Patrick Wardle, Director of Research at Synack, such an attack was recently carried out via a Word document named “U.S. Allies and Rivals Digest Trumpâ€™s Victory – Carnegie Endowment for International Peace.docm.”
By using clamAV’s sigtool to extract embedded macros, the researcher stumbled upon Python code designed to perform a series of checks on the potential victim’s machine before it fetches and executes the malicious payload. As soon as the user opens the document in Word for Mac with macros enabled, the Fisher function is automatically executed.
The Fisher function was observed to decode a base64 chunk of data and then execute it via Python. The Python code, which appears to have been copied from the open-source EmPyre project, checks the machine to make sure LittleSnitch is not running, downloads the second-stage payload (from hxxps[:]//www.securitychecking.org:443/index[.]asp), then RC4 decrypts this payload and executes it.
While EmPyre is a known open-source multi-stage post-exploitation agent “built on cryptologically-secure communications,” it’s unknown what the second-stage payload included, as the file wasn’t available during analysis. While it might have been another EmPyre component, this payload could have been something entirely different as well.
“The second-stage component of Empyre is the persistent agent that affords a remote attacker continuing access to an infected host,” the researcher says. For persistence, cronjob, dylib hijack, launch daemon, or login hook are likely used.
“The persistent component of EmPyre can also be configured to run a wide range of EmPyre modules. These modules allow the attacker to perform a myriad of nefarious actions such as enabling the webcam, dumping the keychain, and accessing a user’s browser history,” the researcher notes.
The IP associated with the securitychecking(.)org website that hosts the malicious payload appears to be geolocated in Russia and was previously associated with phishing.
While the malware used in this attack isn’t particularly advanced, as it relies on user interaction to open the malicious document in Microsoft Word and enable macros, it also uses an open-source implant that is likely to be easily detected. However, the use of social engineering is noteworthy, especially since it exploits the weakest link in the chain, namely the human element.
“And moreover, since macros are ‘legitimate’ functionality (vs. say a memory corruption vulnerability), the malware’s infection vector doesn’t have to worry about crashing the system nor being ‘patched’ out,” the researcher concludes.