A malicious Word file has been found using macros to infect machines running on both Windows and macOS. Fortinet researcher Peixue Li warns that this cross-platform tactic could become a new trend.
A malicious Word file has been found using macros to infect machines running on both Windows and macOS. Fortinet researcher Peixue Li warns that this cross-platform tactic could become a new trend.

Researchers have discovered a malicious Word file that is designed to infect both Windows and macOS operating systems with malware payloads using macros, SC Media has learned after an exclusive first look at a report from Fortinet.

Last month, researchers from Synack identified what they believe is the first in-the-wild instance of hackers using malicious macros in Word documents to execute malware on Mac computers, instead of Windows-based machines. Targeting both operating systems in one malicious document would represent yet another evolution in attackers' tactics. "Since the malware targets both Apple Mac OS and Windows, the base of affected users is larger than before. This could be a trend," said Peixue Li, senior manager of FortiGuard Service Development & Security Research, Fortinet, in an emailed interview with SC Media.

In a blog post Wednesday, Fortinet notes that the Word document's malicious macros contain VBA (Visual Basic for Applications) code that deciphers and activates an encoded malicious script hidden within the doc's "Comments" section. Users are infected if they open the file and obey the resulting notification that asks them to enable macros on their machine.

Once activated, the malicious script – a slightly modified snippet of code from the Metasploit penetration testing framework – takes one of two paths, depending on whether the infected machine runs on Windows or macOS. Either way, however, the payload is a revised version of Meterpreter, a post-exploitation tool that is also derived from Metasploi and that can allow adversaries to take full control of an infected system.

For MacOS machines, the malware unleashes a slightly modified version of Meterpreter that is written in Python, because Python script can be run on macOS by default. "The script attempts to connect the infected machine to the host sushi.vvlxpress.com via port 443, but the server was not answering client requests at the time of Fortinet's analysis.

For Windows machines, the malware generates a sequence of PowerShell scripts that culminates in a revised version of Meterpreter compiled in a DLL file. It appears that the malware affects only the 64-bit version of Windows. Fortinet plans to publish additional findings at a later time.