After hounding Windows users for well over two decades, macro malware has taken its interest in affecting Apple’s mac OS on which Microsoft Office is available.
Macro is a series of commands and actions that help automate some tasks. Microsoft Office programs support Macros written in Visual Basic for Applications (VBA), but they can also be used for malicious activities like installing malware.
The first macro-based Word document malware attacks on macOS users was discovered this week, on Monday, by Snorre Fagerland, Senior Principal Security Researcher at Symantec, and later analyzed by Patrick Wardle, Director of Research at Synack.
A word file named “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace.docm,” which at the time it was discovered, was only detected by four antivirus scanners on VirusTotal.
This Word document contained a macro script that prompted Office to show Mac users a warning that most Windows users are very familiar with.
- Check if a Mac security app called LittleSnitch was running
- Downloads another payload from a remote server
- Decrypts the payload via RC4
- Execute the decrypted payload
Wardle also discovered that the server from where the Word macro script downloaded the second-stage payload was located in Russia, on an IP address previously associated with other malware campaigns.
Moreover since macros are ‘legitimate’ functionality (vs. say a memory corruption vulnerability) the malware’s infection vector doesn’t have to worry about crashing the system nor being ‘patched’ out.”