Mac malware discovered in Microsoft Word document with auto-running macro
A second example of malware targeting macOS users has surfaced this week, with the discovery of a Word document that attempts to use an automatically-running macro, one that tries to download a hazardous payload to infect the target Mac.
The Word file, titled "U.S. Allies and Rivals Digest Trump's Victory - Carnegie Endowment for International Peace" is noted in research compiled by Objective-See to show a usual Word macro warning when it is attempted to be opened by potential victims. The notice warns that macros could contain viruses, and gives the option to continue opening the file with and without macros enabled, as well as to back out from opening it at all.
If run with macros enabled, the automatic macro starts to run python script, which first checks if network monitoring tool Little Snitch is running, before attempting to download a second-stage payload from a specific URL, decrypting the payload, and then executing its contents. The python code itself is sourced from the open-source EmPyre project, an existing post-exploitation framework, with the code used "almost verbatim."
While the payload file is now inaccessible, making it impossible to know what exactly happened to victims, researchers found some second-stage components of EmPyre code that hints at what would take place. It is thought the payload would try to persist on the Mac, automatically running after a reboot, and then could perform functions based on one of many EmPyre modules.
These modules offered a multitude of options for attackers to acquire data, including keyloggers, Keychain dumps, clipboard monitoring, taking screenshots, accessing iMessage, and even an attached webcam.
The malware "isn't particularly advanced," suggests security researcher Patrick Wardle of Synack, due to requiring interaction from users to open the document and needing macros to be enabled. The file's creators does receive some credit from Wardle, by exploiting users as "the weakest link" in security, while also taking advantage of the "legitimate" functionality of macros making it an infection vector that "doesn't have to worry about crashing the system nor being 'patched' out."
Malware embedded in documents is a relatively old technique of infection, largely affecting Windows users rather than Mac, and despite relying heavily on the user disregarding the initial warning notice, has found some success in the past. The notable Melissa virus of 1999 used a Word macro to infect systems, sending copies of the file to a number of the user's contacts to spread.
This infected Word document arrives at the same time as one other type of macOS malware. MacDownloader, malware believed to have been created by Iranian hackers, used a fake aerospace website with a falsified Flash update, to try and attack members of the U.S. defense industry and human rights advocates.
The Word file, titled "U.S. Allies and Rivals Digest Trump's Victory - Carnegie Endowment for International Peace" is noted in research compiled by Objective-See to show a usual Word macro warning when it is attempted to be opened by potential victims. The notice warns that macros could contain viruses, and gives the option to continue opening the file with and without macros enabled, as well as to back out from opening it at all.
If run with macros enabled, the automatic macro starts to run python script, which first checks if network monitoring tool Little Snitch is running, before attempting to download a second-stage payload from a specific URL, decrypting the payload, and then executing its contents. The python code itself is sourced from the open-source EmPyre project, an existing post-exploitation framework, with the code used "almost verbatim."
While the payload file is now inaccessible, making it impossible to know what exactly happened to victims, researchers found some second-stage components of EmPyre code that hints at what would take place. It is thought the payload would try to persist on the Mac, automatically running after a reboot, and then could perform functions based on one of many EmPyre modules.
The infected Word file is entitled "U.S. Allies and Rivals Digest Trump's Victory - Carnegie Endowment for International Peace"
These modules offered a multitude of options for attackers to acquire data, including keyloggers, Keychain dumps, clipboard monitoring, taking screenshots, accessing iMessage, and even an attached webcam.
The malware "isn't particularly advanced," suggests security researcher Patrick Wardle of Synack, due to requiring interaction from users to open the document and needing macros to be enabled. The file's creators does receive some credit from Wardle, by exploiting users as "the weakest link" in security, while also taking advantage of the "legitimate" functionality of macros making it an infection vector that "doesn't have to worry about crashing the system nor being 'patched' out."
Malware embedded in documents is a relatively old technique of infection, largely affecting Windows users rather than Mac, and despite relying heavily on the user disregarding the initial warning notice, has found some success in the past. The notable Melissa virus of 1999 used a Word macro to infect systems, sending copies of the file to a number of the user's contacts to spread.
This infected Word document arrives at the same time as one other type of macOS malware. MacDownloader, malware believed to have been created by Iranian hackers, used a fake aerospace website with a falsified Flash update, to try and attack members of the U.S. defense industry and human rights advocates.
Comments
Yay. Macs are now used enough to be targeted by malware on a regular basis.
Also agree that much like iOS security, MS should/could restrict features of macros and allowed the user to decide; e.g. "Download remote files", "Directory Browsing / Reading"...
Macros in Word are only one symptiom. You can add to this too talkative applications, bad problem messages, poor issue handling, lack of it's own technology undertanding (poor clarity and transparency probably by vendor) etc. That also causes that some people get creative to exploit all this.
So does this mean Little Snitch stops it in it's tracks?
And if Little Snitch is running, then what? Nothing?
Why doesn't the article tell us?
"...first checks if network monitoring tool Little Snitch is running..."
And if Little Snitch is running, then what? Nothing?
Why doesn't the article tell us?
cmd = "ps -ef | grep Little\ Snitch | grep -v grep"
ps = subprocess.Popen(cmd, shell = True, stdout = subprocess.PIPE)
out = ps.stdout.read()
ps.stdout.close()
if re.search("Little Snitch", out):
sys.exit()
If it finds Little Snitch in the running processes, it terminates the script before downloading the malware. Little Snitch would warn about the connection to the malware so they'd want to avoid detection as much as possible. Also, the malware is spyware so Little Snitch would likely block the outgoing data.
Network restrictions should really be a system-level policy in OS X where software is run without network access by default and has to be explicitly given network access. It can be allowed on a temporary basis like in the command line when someone is actively using the terminal. Most people would only ever need to give network access to trusted software like their browser, Mail and chat software. The malware, which contained spyware software would be unable to send keylogged data or webcam data out by default and any attempt would be shown explicitly to the user.