Microsoft Word macro malware automatically adapts attack techniques for macOS, Windows

Posted:
in Mac OS X
A form of Word macro-based malware has been uncovered that can affect both macOS and Windows users when executed, with the malicious file modifying its attack method depending on which operating system it detects it is being run within.




The Word file, discovered on March 16 by FortiGuard Labs, contains a macro using Visual Basic for Applications (VBA) code, which runs automatically once the file is opened. In the event the user has disabled macros in Microsoft Office, or is previewing it online, the file contains an image that tries to convince the user to download the document and enable macros.

When executed, the macro reads and decodes base 64-encoded data stored in the file's "comments" property. This code turns out to be a python script that attempts to detect the operating system the file is opened inside, running one of two different functions depending on if the host system is running macOS or Windows.

Researchers Xiaopeng Xhang and Chris Navarrete note this VBA code is a slightly modified version of an existing Metasploit framework. Metasploit is an open source exploit development framework that could be used to create malware and other tools to attack systems, though it also has a number of legitimate applications in computer security.

If macOS is detected, another python script is run which again extracts code from a base64-encoded string, which then downloads and executes a file from a specific URL. The downloaded "meterpreter" file is another python script, again modified from the Metasploit framework, used as a dynamically extensible payload that can run commands provided by a server.

The payload is shown to connect to a host through port 443, in order to get more commands or to download more payload files. The researchers note that attempts to connect to the server failed, with it failing to answer client requests, though the python process used to establish the connection to the server continues trying to get a response despite the failure, persisting in the hope it can reach the server at a later time.

Malware code used to run specific functions based on the detected operating system
Malware code used to run specific functions based on the detected operating system


In the event the macro runs in Windows, a similar function is called just for that operating system, this time using base 64-encoded code to run PowerShell, which is then used to decompress and execute another PowerShell script. This latter script downloads a 64-bit DLL file, which is then used to try and communicate with a server for extra instructions.

While in both cases the malware doesn't directly harm or leak any data, infected systems are left in a state awaiting further instruction from an online server. If left unchecked, this could result in more malicious code being downloaded that could cause more damage to a user's data, such as by installing ransomware or accessing the user's Keychain, or even use the infected system for other nefarious purposes.

Word macros are well known as a possible attack vector for malware, with the relatively old technique largely used to infect Windows users. In February, researchers discovered a version of macro malware that took aim at macOS, using a similar method of downloading a malicious payload from a server, though again the payload itself was not available to view at the time of discovery.

This latest malware appears to take the principle one step further, by attacking both Windows and Mac users using the same file, maximizing the potential infections compared to spreading two separate versions tailored for each operating system.

The new Word macro attack arrives shortly after a number of other malware discoveries targeting Macs. In February, the MacDownloader malware took aim at the US defense industry with a fake Flash update, while another report revealed a Mac strain of Xagent, allegedly created by the same Russian hacking group accused of interfering with the 2016 U.S. presidential election.

Comments

  • Reply 1 of 18
    MacProMacPro Posts: 16,187member
     I'm not totally clear, I assume you'd have to be running a Microsoft Office version for Mac? If so there is a simple solution for that. Or can this somehow get into macOS without running a Microsoft application such as opening a file from a Windows user on a Mac .  I reads as if this is the case. I'd love to know, I have employed many programmers I'm just not one so this is as clear as mud to me.
    brakkenbaconstang
  • Reply 2 of 18
    fracfrac Posts: 445member
    Word macros? VBA? malware?
    1995 and Mac 0S9 wants its vulnerabilities back. 
  • Reply 3 of 18
    Rayz2016Rayz2016 Posts: 1,684member
    MacPro said:
     I'm not totally clear, I assume you'd have to be running a Microsoft Office version for Mac? If so there is a simple solution for that. Or can this somehow get into macOS without running a Microsoft application such as opening a file from a Windows user on a Mac .  I reads as if this is the case. I'd love to know, I have employed many programmers I'm just not one so this is as clear as mud to me.
    Yes, they're VBA macros so you have to run MS Office to be affected. 


    baconstang
  • Reply 4 of 18
    williamhwilliamh Posts: 471member
     This article really mischaracterizes the purpose of Metasploit. It is used to test for or confirm vulnerabilities.  Of course it can also be used for nefarious purposes just like many security tools.  Keep up the fake news.
  • Reply 5 of 18
    rob53rob53 Posts: 1,488member
    williamh said:
     This article really mischaracterizes the purpose of Metasploit. It is used to test for or confirm vulnerabilities.  Of course it can also be used for nefarious purposes just like many security tools.  Keep up the fake news.
    Not fake news. Read how the article characterizes it:

    Metasploit is an open source exploit development framework that could be used to create malware and other tools to attack systems, though it also has a number of legitimate applications in computer security. 

    Also check out their website, www.metasploit.com. The banner says:

    World's most used penetration testing software


    When I read that, even though I spent my last eight years at work in cyber security, I see it as a veiled attempt at trying to market security software that really is for generating malware or intrusion software, whether it's used for "nefarious" purposes of not. All penetration software is software created to attack systems. You can try and call it something different, and the FBI, CIA, and especially NSA do all the time, but it is still software used to disable the security of an existing system.


    baconstang
  • Reply 6 of 18
    MacProMacPro Posts: 16,187member
    Rayz2016 said:
    MacPro said:
     I'm not totally clear, I assume you'd have to be running a Microsoft Office version for Mac? If so there is a simple solution for that. Or can this somehow get into macOS without running a Microsoft application such as opening a file from a Windows user on a Mac .  I reads as if this is the case. I'd love to know, I have employed many programmers I'm just not one so this is as clear as mud to me.
    Yes, they're VBA macros so you have to run MS Office to be affected. 

    Thanks  much for clarification, I'm OK then :).  I run Windows 10 natively by booting from my Mac Pro into an external SSD but I haven't let a Microsoft product near my Mac while running OS X or macOS in well over a decade nor would I.
  • Reply 7 of 18
    technotechno Posts: 618member
    So is there a way of detecting or removing the macro? 
  • Reply 8 of 18
    All the more reason why I do not use M$ products. There profits have always been a higher priority, above. quality. M$ and it's users have seemed to just accept the constant threats.
    watto_cobra
  • Reply 9 of 18
    williamh said:
     This article really mischaracterizes the purpose of Metasploit. It is used to test for or confirm vulnerabilities.  Of course it can also be used for nefarious purposes just like many security tools.  Keep up the fake news.
    If anyone tosses about the term "Fake News" so loosely, I assume they no little about what they are saying, including he whose name shall not be spoken.
    idreySpamSandwich
  • Reply 10 of 18
    MacProMacPro Posts: 16,187member
    williamh said:
     This article really mischaracterizes the purpose of Metasploit. It is used to test for or confirm vulnerabilities.  Of course it can also be used for nefarious purposes just like many security tools.  Keep up the fake news.
    If anyone tosses about the term "Fake News" so loosely, I assume they no little about what they are saying, including he whose name shall not be spoken.
    ROFL, well said.
  • Reply 11 of 18
    williamhwilliamh Posts: 471member
    rob53 said:
    williamh said:
     This article really mischaracterizes the purpose of Metasploit. It is used to test for or confirm vulnerabilities.  Of course it can also be used for nefarious purposes just like many security tools.  Keep up the fake news.
    Not fake news. Read how the article characterizes it:

    Metasploit is an open source exploit development framework that could be used to create malware and other tools to attack systems, though it also has a number of legitimate applications in computer security. 

    Also check out their website, www.metasploit.com. The banner says:

    World's most used penetration testing software


    When I read that, even though I spent my last eight years at work in cyber security, I see it as a veiled attempt at trying to market security software that really is for generating malware or intrusion software, whether it's used for "nefarious" purposes of not. All penetration software is software created to attack systems. You can try and call it something different, and the FBI, CIA, and especially NSA do all the time, but it is still software used to disable the security of an existing system.


    With 8 years in cyber security, you know perfectly well that Metasploit is a perfectly legit tool that could also be used to create malware and not the other way around as the article calls it. 
    StrangeDays
  • Reply 12 of 18
    idreyidrey Posts: 638member
    williamh said:
     This article really mischaracterizes the purpose of Metasploit. It is used to test for or confirm vulnerabilities.  Of course it can also be used for nefarious purposes just like many security tools.  Keep up the fake news.
    If anyone tosses about the term "Fake News" so loosely, I assume they no little about what they are saying, including he whose name shall not be spoken.
    LMAOL You made my day. Lol
  • Reply 13 of 18
    williamh said:
    With 8 years in cyber security, you know perfectly well that Metasploit is a perfectly legit tool that could also be used to create malware and not the other way around as the article calls it. 
    That is a very fine hair to split. We've covered all the bases on what Metasploit does. This store is in no way "fake news" because you don't agree with a sentence order.
  • Reply 14 of 18
    dofolddofold Posts: 1member
    techno said:
    So is there a way of detecting or removing the macro? 

    Download Malwarebytes. It's the best mac malware clean up software out there.  It's what they use in the Apple Genius Bar at the Apple stores. They have a free version that will clean up your mac really well, and I hear they have a new product coming out that will provide active protection. I'll be buying that as soon as it's available. 
  • Reply 15 of 18
    foggyhillfoggyhill Posts: 3,206member
    rob53 said:
    williamh said:
     This article really mischaracterizes the purpose of Metasploit. It is used to test for or confirm vulnerabilities.  Of course it can also be used for nefarious purposes just like many security tools.  Keep up the fake news.
    Not fake news. Read how the article characterizes it:

    Metasploit is an open source exploit development framework that could be used to create malware and other tools to attack systems, though it also has a number of legitimate applications in computer security. 

    Also check out their website, www.metasploit.com. The banner says:

    World's most used penetration testing software


    When I read that, even though I spent my last eight years at work in cyber security, I see it as a veiled attempt at trying to market security software that really is for generating malware or intrusion software, whether it's used for "nefarious" purposes of not. All penetration software is software created to attack systems. You can try and call it something different, and the FBI, CIA, and especially NSA do all the time, but it is still software used to disable the security of an existing system.


    Man, such a drama queen, a knife can also be used to kill people and cut bread.

    Penetration testing software is useful to see if you're vulnerable to common exploits, a bit like regression testing for security.
    In fact, security testing framework SHOULD be like software development and have whole testing suite for a huge amount of already "fixed" exploits, just in case you don't reintroduce them by accident. More likely someone outside IT or engineering will be the one reintroducing it...

    Virus sofware are a bit like that for computers except for their opacity, prefer rolling my own system wide solution and have it on a loop running from a extremely secure limited access server.
    edited March 25
  • Reply 16 of 18
    The macro in question requires binding to the OS API "system()" in order to run the external python script. Mac Office 2016 version 15.31 (released in February 2017) and later block VB from binding to that API, thus preventing macros using this particular attack vector from running. The macro will fail with a compile-time error and will not run. Version 15.32 (released in March 2017) provides user preferences to disable all VB macros from running, and version 15.33 (to be released in April) will provide IT administrators the ability to enforce this setting on all Macs under their control.

    Schwieb
    Principal Software Engineer
    Office for Apple Platforms
    Microsoft Corporation
    singularity
  • Reply 17 of 18
    MacProMacPro Posts: 16,187member
    schwieb said:
    The macro in question requires binding to the OS API "system()" in order to run the external python script. Mac Office 2016 version 15.31 (released in February 2017) and later block VB from binding to that API, thus preventing macros using this particular attack vector from running. The macro will fail with a compile-time error and will not run. Version 15.32 (released in March 2017) provides user preferences to disable all VB macros from running, and version 15.33 (to be released in April) will provide IT administrators the ability to enforce this setting on all Macs under their control.

    Schwieb
    Principal Software Engineer
    Office for Apple Platforms
    Microsoft Corporation
    Here's a tip for AI at least.  Add  a political element to the MS post and get the entire thread closed and avoid all the comments about how dreadful Microsoft's operating system and software really are :)
    edited March 27
  • Reply 18 of 18
    maestro64maestro64 Posts: 3,383member
    This is why people should run Little Snitch or Little Flocker, bot these software will stop any software like MS word from communicating with the outside world without your knowledge. I have used Little Snitch for years and can not tell you how many software reaches out to the internet. Little Snitch is such a good tool to have even the CIA was trying to find ways to have a computer communicate back to the CIA without Little Snitch ratting them out.
    edited March 27 StrangeDays
Sign In or Register to comment.