Word documents laced with malicious macros used to hack Apple Mac systems

Pierluigi Paganini February 13, 2017

Crooks exploiting Word documents laced with malicious macros to compromise Apple Mac systems exactly in the same way they do with Microsoft machines.

It’s amazing the number of Apple Mac users that tell me their systems are immune from malware. This false sense of security is very dangerous and I believe it is important to explain how also Mac system could be compromised by malicious codes.

I want to take advantage by telling you about a recent event to explore the topic, crooks exploiting Word documents laced with malicious macros to compromise Apple Mac systems exactly in the same way they do with Microsoft machines.

Last week, security experts observed a spike in the distribution spam messages using attachments embedding malicious macros. One of the baits was titled “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace.docm,” when the Mac recipients open the documents are prompted to enable macros.

Apple MAC

If a Mac user enabled the macros, the file executes a Python function that downloads a malicious payload and executes it infecting the machine. The Python code is publicly available, it is part of the open-source project EmPyre, and as highlighted by the researcher Patrick Wardle, this new attack leverages old tricks.

“Today, Monday the 6th, was a busy day for macOS malware! First, Nex (@botherder) posted a great writeup, iKittens: Iranian actor resurfaces with malware for mac (macdownloader), which detailed some new macOS malware. Shortly thereafter, my friend Scott (@0xdabbad00) brought to my attention the following tweet:

A malicious Word document targeting Mac users? I was intrigued :). I grabbed the sample (“U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace.docm”), noting that only 4 AV engines currently flagged it as malicious”

The analysis of the attack revealed that the IP address used by crooks to spread the malware is located in Russia and was not new to researchers monitoring phishing campaigns.

The security researcher Patrick Wardle explained that the this Apple Mac Malware is not sophisticated, the attack needs the user interaction to compromise the machine.

The reliance on macros rather than a software vulnerability implies that the exploit can’t be blocked only by patching systems.

“Overall this malware sample isn’t particularly advanced. It relies on user interaction (to open a malicious document in Microsoft Word, (not Apple’s Pages)), as well as needs macros to be enabled. Most users know never to allow macros – right!?! Moreover using an open-source implant likely ensures that detection software should detect it – right!?” concluded Wardle. 

“However let’s be nice and give the attackers some credit. By using a macros in Word document they are exploiting the weakest link; humans! And moreover since macros are ‘legitimate’ functionality (vs. say a memory corruption vulnerability) the malware’s infection vector doesn’t have to worry about crashing the system nor being ‘patched’ out. “

Recently the security researchers Claudio Guarnieri and Collin Anderson have analyzed samples of the MacDownloader malware that was disguised by nation-state hackers as a Flash Player update and a Bitdefender adware removal tool.

According to the researchers, the malware was first “poorly” developed the end of 2016, the experts noticed its code was copied from other sources. Anyway, at the time of writing the analysis, MacDownload is undetected by virus scanning engines on VirusTotal, while at the time I was writing just a dozen vendors have recognized the bogus Flash Player and Bitdefender apps as a threat.

This last case demonstrates that Apple MAC threat landscape is very active, for this reason, it is important awareness and a proper security posture for MAC users.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Apple MAC, malware)



you might also like

leave a comment