Researchers have identified what they believe is the first in-the-wild instance of hackers using malicious macros in Word documents to execute malware on Mac computers, instead of Windows-based machines.
Patrick Wardle, director of research at the cybersecurity company Synack, reported in a blog post this week that multiple Mac security researchers, admins, and malware experts collectively analyzed a newly discovered malicious Word document with the file name “U.S. Allies and Rivals Digest Trump's Victory - Carnegie Endowment for International Peace.docm”.
Recipients who open this document and choose to enable macros on the resulting pop-up, are infected with embedded python code that is virtually identical to EmPyre, an open source Mac and Linux post-exploitation agent.
Despite serving a legitimate purpose – the automation of tasks – macros are often abused by developers of Windows-based malware, who have long banked on the fact that users either enable macros by default or dismiss warnings to disable them.
“Using Word macros as an infection vector exploits the weakest link: humans,” said Wardle, in an email interview with SC Media. “As operating systems and applications become harder to exploit (due to more secure coding practices, built-in exploitation mitigations, etc.), humans remain the constant.
Other reasons macros make popular cyberweapons: they work across platforms, and “as legitimate functionality, can't be fixed by a patch from the vendor,” Wardle added.
After performing a systems check for Little Snitch – Mac OS X's host-based application firewall product – the malware downloads a second-stage component that maintains persistence on infected machines. This component can run a variety of modules that are capable of operating a victim's webcam, dumping the keychain and viewing a user's browser history, among other malicious activities.
The command-and-control server from which this persistence module is downloaded is located in Russia and has a reputation for hosting phishing attacks, Wardle continued. (Presumably, phishing is the malicious Word document's method of distribution.)
Wardle told SC Media that he expects attackers will continue applying their existing Windows knowledge to target Mac users. For now, however, most Mac attacks, like this one, remain relatively unsophisticated. “I'm not sure if this is because the tools to detect such Mac malware/threats aren't as advanced as the Windows tools, or [because] Mac malware writers are less skilled or [less experienced] with the Mac platform... I'm guessing it's a combination of both, as I'm sure advanced nation-state hacker groups or governments have really sophisticated Mac capabilities.”