The Hackr

Mac Users Under “MACRO” Malware Attack

After hounding Windows users for well over two decades, macro malware has taken its interest in affecting Apple’s mac OS on which Microsoft Office is available.

Macro is a series of commands and actions that help automate some tasks. Microsoft Office programs support Macros written in Visual Basic for Applications (VBA), but they can also be used for malicious activities like installing malware.

The first macro-based Word document malware attacks on macOS users was discovered this week, on Monday, by Snorre Fagerland, Senior Principal Security Researcher at Symantec, and later analyzed by Patrick Wardle, Director of Research at Synack.

A word file named “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace.docm,” which at the time it was discovered, was only detected by four antivirus scanners on VirusTotal.

This Word document contained a macro script that prompted Office to show Mac users a warning that most Windows users are very familiar with.

Denying permission can save you, but if enabled ignoring warnings, the embedded macro executes a function, coded in Python, that downloads the malware payload to infect the Mac PCs, allowing hackers to monitor webcams, access browser history logs, and steal password and encryption keys.
mac virus
After a closer look at extracted python commands ( containted a chunk of base64 data ), Wardle says the script would go through four stages:
  • Check if a Mac security app called LittleSnitch was running
  • Downloads another payload from a remote server
  • Decrypts the payload via RC4
  • Execute the decrypted payload
Wardle identified the commands in the first-stage payload as snippets taken from EmPyre, a post-exploitation OS X/Linux agent written in Python 2.7. Unfortunately, the remote server was down when Wardle analyzed the macro script,  and he never got to verify the true capabilities and purpose of the second-stage payload.
Common sense says that the second-stage payload must have also borrowed some tricks from EmPyre, which includes modules for dumping the Apple keychain (password store), spying via the webcam, and stealing browser history files.

Wardle also discovered that the server from where the Word macro script downloaded the second-stage payload was located in Russia, on an IP address previously associated with other malware campaigns.

Moreover since macros are ‘legitimate’ functionality (vs. say a memory corruption vulnerability) the malware’s infection vector doesn’t have to worry about crashing the system nor being ‘patched’ out.”

Researchers have spotted macOS malware targeting mostly the defense industry and reported to have been used against a human rights advocate.
The best way to avoid these kinds of attacks is to just deny permission to enable macros from running when opening a suspicious Word document and avoid downloading software from third-party App Store or untrusted websites.






It was a hobby I got into a long time ago, hacking cameras. And I am here making posts @TheHackr today!

Chat With Our Bot ☎️

IntroducingTheHackr Chatbot,now anyone can interact with our messenger bot and get daily crunches about Cyber-Security in just a clicks away!