After targeting Windows-based computers over the past few years, hackers are now shifting their interest to Macs as well. The emergence of the first macro-based Word document attack against Apple’s macOS platform is the latest example to prove this.
The concept of Macros dates back to 1990s. You might be familiar with the message that reads: “Warning: This document contains macros.”
Macro is a series of commands and actions that help automate some tasks. Microsoft Office programs support Macros written in Visual Basic for Applications (VBA), but they can also be used for malicious activities like installing malware.
Until now, hackers were cleverly using this technique to target Windows. However, security researchers have now detected the first in-the-wild instance of hackers are making use of malicious macros in Word documents to install malware on Mac computers and steal your data – an old Windows technique.
The hack tricks victims into opening infected Word documents that subsequently run malicious macros. One such malicious Word file discovered by the researcher was titled “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace.docm.”
However, after clicking on the malicious Word document and before running it on your system, Mac users are always prompted to enable macros. Denying permission can save you, but if enabled ignoring warnings, the embedded macro executes a function, coded in Python, that downloads the malware payload to infect the Mac PCs, allowing hackers to monitor webcams, access browser history logs, and steal password and encryption keys.
According to a blog post published this week by Patrick Wardle, director of research at security firm Synack, the Python function is virtually identical to EmPyre – an open source Mac and Linux post-exploitation agent.
“It’s kind of a low-tech solution, but on one hand it’s abusing legitimate functionality so it’s not going to crash like a memory corruption or overflow might, and it’s not going to be patched out,” said Wardle.
Wardle tracked the IP address from which the malicious Word documents were spread to Russia and that IP has previously been associated with malicious activities like phishing attacks.
Another malicious attack discovered by researchers this week also relied on standard Windows techniques by prompting users to download and install a fake software update, but actually harvest the user Keychain, phish usernames and passwords, and other sensitive data.
The MacDownloader nasty virus presented itself as both an update for Adobe Flash and the Bitdefender Adware Removal Tool, which are always annoying and dismissed by most users.
This is what all attackers want. Once the user clicks on either reject the updates or just press yes to dismiss it once and for all, the malware gets the green signal to harvest user keychain, phish usernames and passwords, collect private and sensitive data, and then send them back to attackers.
Researchers have spotted macOS malware targeting mostly the defense industry and reported to have been used against a human rights advocate.
The best way to avoid these kinds of attacks is to just deny permission to enable macros from running when opening a suspicious Word document and avoid downloading software from third-party App Store or untrusted websites.