Mac malware discovered in Microsoft Word document with auto-running macro

Posted:
in Mac OS X
A second example of malware targeting macOS users has surfaced this week, with the discovery of a Word document that attempts to use an automatically-running macro, one that tries to download a hazardous payload to infect the target Mac.




The Word file, titled "U.S. Allies and Rivals Digest Trump's Victory - Carnegie Endowment for International Peace" is noted in research compiled by Objective-See to show a usual Word macro warning when it is attempted to be opened by potential victims. The notice warns that macros could contain viruses, and gives the option to continue opening the file with and without macros enabled, as well as to back out from opening it at all.

If run with macros enabled, the automatic macro starts to run python script, which first checks if network monitoring tool Little Snitch is running, before attempting to download a second-stage payload from a specific URL, decrypting the payload, and then executing its contents. The python code itself is sourced from the open-source EmPyre project, an existing post-exploitation framework, with the code used "almost verbatim."

While the payload file is now inaccessible, making it impossible to know what exactly happened to victims, researchers found some second-stage components of EmPyre code that hints at what would take place. It is thought the payload would try to persist on the Mac, automatically running after a reboot, and then could perform functions based on one of many EmPyre modules.
The infected Word file is entitled "U.S. Allies and Rivals Digest Trump's Victory - Carnegie Endowment for International Peace"
These modules offered a multitude of options for attackers to acquire data, including keyloggers, Keychain dumps, clipboard monitoring, taking screenshots, accessing iMessage, and even an attached webcam.

The malware "isn't particularly advanced," suggests security researcher Patrick Wardle of Synack, due to requiring interaction from users to open the document and needing macros to be enabled. The file's creators does receive some credit from Wardle, by exploiting users as "the weakest link" in security, while also taking advantage of the "legitimate" functionality of macros making it an infection vector that "doesn't have to worry about crashing the system nor being 'patched' out."

Malware embedded in documents is a relatively old technique of infection, largely affecting Windows users rather than Mac, and despite relying heavily on the user disregarding the initial warning notice, has found some success in the past. The notable Melissa virus of 1999 used a Word macro to infect systems, sending copies of the file to a number of the user's contacts to spread.

This infected Word document arrives at the same time as one other type of macOS malware. MacDownloader, malware believed to have been created by Iranian hackers, used a fake aerospace website with a falsified Flash update, to try and attack members of the U.S. defense industry and human rights advocates.

Comments

  • Reply 1 of 13
    So in other words, still Microsoft's fault.
    dysamorialostkiwitallest skilmonstrositybrakkenwatto_cobracornchip
  • Reply 2 of 13
    rob53rob53 Posts: 1,459member
    staticx57 said:
    So in other words, still Microsoft's fault.
    Yep. I thought Microsoft macros were a thing of the past or had finally been secured. Guess not! Along with Flash, these macros deliver the most malware to Macs but we have to use Microsoft software so we just live with it. /s
    dysamoria
  • Reply 3 of 13
    One big problem/annoyance with MS Office macros is that when you get the warning, you don't have any other information about what the macro is. There are legitimate uses for macros, meaning you can't always keep macros turned of completely. Still, I can't think of many that would require the level of access used by this exploit, so it would be helpful if Microsoft limited the abilities of macros to do so, and getting a file like this with a macro built in should be a huge red flag.
    dysamorialostkiwicornchipbrian green
  • Reply 4 of 13
    dysamoriadysamoria Posts: 1,133member
    Yay. MS Word on Mac is now more like on Windows.

    Yay. Macs are now used enough to be targeted by malware on a regular basis.
    watto_cobra
  • Reply 5 of 13
    rwesrwes Posts: 140member
    MplsP said:
    One big problem/annoyance with MS Office macros is that when you get the warning, you don't have any other information about what the macro is. There are legitimate uses for macros, meaning you can't always keep macros turned of completely. Still, I can't think of many that would require the level of access used by this exploit, so it would be helpful if Microsoft limited the abilities of macros to do so, and getting a file like this with a macro built in should be a huge red flag.
    I agree, a notification as to what the macro does would be helpful, but without some well written algorithm, a -description- which would be left to the developer couldn't be explicitly trusted.

    Also agree that much like iOS security, MS should/could restrict features of macros and allowed the user to decide; e.g. "Download remote files", "Directory Browsing / Reading"...
    willcropointwatto_cobra
  • Reply 6 of 13
    MplsP said:
    One big problem/annoyance with MS Office macros is that when you get the warning, you don't have any other information about what the macro is. There are legitimate uses for macros, meaning you can't always keep macros turned of completely. Still, I can't think of many that would require the level of access used by this exploit, so it would be helpful if Microsoft limited the abilities of macros to do so, and getting a file like this with a macro built in should be a huge red flag.
    That is typical dumb Microsoft approach. Their error exposure to users is useless. They say there is problem, but do not provide user with sufficient information to take actions. They could have replaced it with cryptic codes as well. It is like "you cannot delete file because it is in use by other program" Really??? No kidding! Which one? Working with MS trained support people in business brings this sort of attitudes and low level of understanding process that it ends up with typical recomendatation: "Please reboot". Magic solution to Microsoft bad approach in handling situation by user or support. Working with three plaforms (Microsoft, Apple and Open Source Linux) I learned quite a lot of attitudes and cultures, but least arrogant and most helpful at the same time was... engineers around Linux. I am not saying it was the greatests, but it was most logical.

    Macros in Word are only one symptiom. You can add to this too talkative applications, bad problem messages, poor issue handling, lack of it's own technology undertanding (poor clarity and transparency probably by vendor) etc. That also causes that some people get creative to exploit all this.
    edited February 9
  • Reply 7 of 13
    MplsP said:
    One big problem/annoyance with MS Office macros is that when you get the warning, you don't have any other information about what the macro is. There are legitimate uses for macros, meaning you can't always keep macros turned of completely. Still, I can't think of many that would require the level of access used by this exploit, so it would be helpful if Microsoft limited the abilities of macros to do so, and getting a file like this with a macro built in should be a huge red flag.
    That is typical dumb Microsoft approach. Their error exposure to users is useless. They say there is problem, but do not provide user with sufficient information to take actions. They could have replaced it with cryptic codes as well. It is like "you cannot delete file because it is in use by other program" Really??? No kidding! Which one? Working with MS trained support people in business brings this sort of attitudes and low level of understanding process that it ends up with typical recomendatation: "Please reboot". Magic solution to Microsoft bad approach in handling situation by user or support. Working with three plaforms (Microsoft, Apple and Open Source Linux) I learned quite a lot of attitudes and cultures, but least arrogant and most helpful at the same time was... engineers around Linux. I am not saying it was the greatests, but it was most logical.

    Macros in Word are only one symptiom. You can add to this too talkative applications, bad problem messages, poor issue handling, lack of it's own technology undertanding (poor clarity and transparency probably by vendor) etc. That also causes that some people get creative to exploit all this.
    True that. Another annoying issue is the fact that "legitimate" abuse exists, and is rarely punished. Legitimate means here that established businesses do the abuse. Exhibit case 1: the Nvidia update software also steals all sorts of data about you and how you use your software. Exhibit case 2: several well known sites hijack copy-and-paste to add their own url in. It's annoying as hell. Exhibit case 3: several video sites actively check if you keep the window on top or change sound levels and restart a round of ads (for some, even of increasing duration ads...) if you do. Exhibit case 4: several websites insist on serving abusive intrusive ads and spyware and just shut you out if you run adblockers. This type of behavior is ultimately dangerous, as it instills the idea in users that this is how computers work. It's not.
  • Reply 8 of 13
    "...python script, which first checks if network monitoring tool Little Snitch is running..."

    So does this mean Little Snitch stops it in it's tracks?
    edited February 9 jdwwatto_cobrabrian green
  • Reply 9 of 13
    Word Macro viruses have been around for decades.  This is nothing new.  That is why there is a Macro warning dialog box with the default selection of 'Disable Macros' so you can prevent it from running if the document came from an untrusted source.  Macros are quite useful in Excel.  Be careful what you open.  
  • Reply 10 of 13
    jdwjdw Posts: 442member
    "...first checks if network monitoring tool Little Snitch is running..."

     And if Little Snitch is running, then what? Nothing?
     Why doesn't the article tell us?
    edited February 9 monstrosity
  • Reply 11 of 13
    The irony of a Mac getting infected due to poorly written Microsoft software is not lost on me.
  • Reply 12 of 13
    jdwjdw Posts: 442member
    Malcolm Owen, author of the article under which we are commenting, I shall repeat my previous questions so you can kindly answer them for us...

    "...first checks if network monitoring tool Little Snitch is running..." 

     And if Little Snitch is running, then what? Nothing? 
     Why doesn't the article tell us?
    edited February 13
  • Reply 13 of 13
    MarvinMarvin Posts: 13,861moderator
    jdw said:
    Malcolm Owen, author of the article under which we are commenting, I shall repeat my previous questions so you can kindly answer them for us...

    "...first checks if network monitoring tool Little Snitch is running..." 

     And if Little Snitch is running, then what? Nothing? 
     Why doesn't the article tell us?
    The link in the article shows the code:

    cmd = "ps -ef | grep Little\ Snitch | grep -v grep"
    ps = subprocess.Popen(cmd, shell = True, stdout = subprocess.PIPE)
    out = ps.stdout.read()
    ps.stdout.close()
    if re.search("Little Snitch", out):
       sys.exit()

    If it finds Little Snitch in the running processes, it terminates the script before downloading the malware. Little Snitch would warn about the connection to the malware so they'd want to avoid detection as much as possible. Also, the malware is spyware so Little Snitch would likely block the outgoing data.

    Network restrictions should really be a system-level policy in OS X where software is run without network access by default and has to be explicitly given network access. It can be allowed on a temporary basis like in the command line when someone is actively using the terminal. Most people would only ever need to give network access to trusted software like their browser, Mail and chat software. The malware, which contained spyware software would be unable to send keylogged data or webcam data out by default and any attempt would be shown explicitly to the user.
    edited February 13 jdwjony0
Sign In or Register to comment.