Threat Management, Incident Response, Malware, TDR

SC Media Exclusive: Fortinet uncovers malicious Word doc that infects both Windows and macOS machines


Researchers have discovered a malicious Word file that is designed to infect both Windows and macOS operating systems with malware payloads using macros, SC Media has learned after an exclusive first look at a report from Fortinet.

Last month, researchers from Synack identified what they believe is the first in-the-wild instance of hackers using malicious macros in Word documents to execute malware on Mac computers, instead of Windows-based machines. Targeting both operating systems in one malicious document would represent yet another evolution in attackers' tactics. "Since the malware targets both Apple Mac OS and Windows, the base of affected users is larger than before. This could be a trend," said Peixue Li, senior manager of FortiGuard Service Development & Security Research, Fortinet, in an emailed interview with SC Media.

In a blog post Wednesday, Fortinet notes that the Word document's malicious macros contain VBA (Visual Basic for Applications) code that deciphers and activates an encoded malicious script hidden within the doc's "Comments" section. Users are infected if they open the file and obey the resulting notification that asks them to enable macros on their machine.

Once activated, the malicious script – a slightly modified snippet of code from the Metasploit penetration testing framework – takes one of two paths, depending on whether the infected machine runs on Windows or macOS. Either way, however, the payload is a revised version of Meterpreter, a post-exploitation tool that is also derived from Metasploit and that can allow adversaries to take full control of an infected system.

For MacOS machines, the malware unleashes a slightly modified version of Meterpreter that is written in Python, because Python script can be run on macOS by default. "The script attempts to connect the infected machine to the host via port 443, but the server was not answering client requests at the time of Fortinet's analysis.

For Windows machines, the malware generates a sequence of PowerShell scripts that culminates in a revised version of Meterpreter compiled in a DLL file. It appears that the malware affects only the 64-bit version of Windows. Fortinet plans to publish additional findings at a later time.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.