Microsoft Word macro malware automatically adapts attack techniques for macOS, Windows
A form of Word macro-based malware has been uncovered that can affect both macOS and Windows users when executed, with the malicious file modifying its attack method depending on which operating system it detects it is being run within.
-l.jpg)
The Word file, discovered on March 16 by FortiGuard Labs, contains a macro using Visual Basic for Applications (VBA) code, which runs automatically once the file is opened. In the event the user has disabled macros in Microsoft Office, or is previewing it online, the file contains an image that tries to convince the user to download the document and enable macros.
When executed, the macro reads and decodes base 64-encoded data stored in the file's "comments" property. This code turns out to be a python script that attempts to detect the operating system the file is opened inside, running one of two different functions depending on if the host system is running macOS or Windows.
Researchers Xiaopeng Xhang and Chris Navarrete note this VBA code is a slightly modified version of an existing Metasploit framework. Metasploit is an open source exploit development framework that could be used to create malware and other tools to attack systems, though it also has a number of legitimate applications in computer security.
If macOS is detected, another python script is run which again extracts code from a base64-encoded string, which then downloads and executes a file from a specific URL. The downloaded "meterpreter" file is another python script, again modified from the Metasploit framework, used as a dynamically extensible payload that can run commands provided by a server.
The payload is shown to connect to a host through port 443, in order to get more commands or to download more payload files. The researchers note that attempts to connect to the server failed, with it failing to answer client requests, though the python process used to establish the connection to the server continues trying to get a response despite the failure, persisting in the hope it can reach the server at a later time.
-l.jpg)
Malware code used to run specific functions based on the detected operating system
In the event the macro runs in Windows, a similar function is called just for that operating system, this time using base 64-encoded code to run PowerShell, which is then used to decompress and execute another PowerShell script. This latter script downloads a 64-bit DLL file, which is then used to try and communicate with a server for extra instructions.
While in both cases the malware doesn't directly harm or leak any data, infected systems are left in a state awaiting further instruction from an online server. If left unchecked, this could result in more malicious code being downloaded that could cause more damage to a user's data, such as by installing ransomware or accessing the user's Keychain, or even use the infected system for other nefarious purposes.
Word macros are well known as a possible attack vector for malware, with the relatively old technique largely used to infect Windows users. In February, researchers discovered a version of macro malware that took aim at macOS, using a similar method of downloading a malicious payload from a server, though again the payload itself was not available to view at the time of discovery.
This latest malware appears to take the principle one step further, by attacking both Windows and Mac users using the same file, maximizing the potential infections compared to spreading two separate versions tailored for each operating system.
The new Word macro attack arrives shortly after a number of other malware discoveries targeting Macs. In February, the MacDownloader malware took aim at the US defense industry with a fake Flash update, while another report revealed a Mac strain of Xagent, allegedly created by the same Russian hacking group accused of interfering with the 2016 U.S. presidential election.
The Word file, discovered on March 16 by FortiGuard Labs, contains a macro using Visual Basic for Applications (VBA) code, which runs automatically once the file is opened. In the event the user has disabled macros in Microsoft Office, or is previewing it online, the file contains an image that tries to convince the user to download the document and enable macros.
When executed, the macro reads and decodes base 64-encoded data stored in the file's "comments" property. This code turns out to be a python script that attempts to detect the operating system the file is opened inside, running one of two different functions depending on if the host system is running macOS or Windows.
Researchers Xiaopeng Xhang and Chris Navarrete note this VBA code is a slightly modified version of an existing Metasploit framework. Metasploit is an open source exploit development framework that could be used to create malware and other tools to attack systems, though it also has a number of legitimate applications in computer security.
If macOS is detected, another python script is run which again extracts code from a base64-encoded string, which then downloads and executes a file from a specific URL. The downloaded "meterpreter" file is another python script, again modified from the Metasploit framework, used as a dynamically extensible payload that can run commands provided by a server.
The payload is shown to connect to a host through port 443, in order to get more commands or to download more payload files. The researchers note that attempts to connect to the server failed, with it failing to answer client requests, though the python process used to establish the connection to the server continues trying to get a response despite the failure, persisting in the hope it can reach the server at a later time.
Malware code used to run specific functions based on the detected operating system
In the event the macro runs in Windows, a similar function is called just for that operating system, this time using base 64-encoded code to run PowerShell, which is then used to decompress and execute another PowerShell script. This latter script downloads a 64-bit DLL file, which is then used to try and communicate with a server for extra instructions.
While in both cases the malware doesn't directly harm or leak any data, infected systems are left in a state awaiting further instruction from an online server. If left unchecked, this could result in more malicious code being downloaded that could cause more damage to a user's data, such as by installing ransomware or accessing the user's Keychain, or even use the infected system for other nefarious purposes.
Word macros are well known as a possible attack vector for malware, with the relatively old technique largely used to infect Windows users. In February, researchers discovered a version of macro malware that took aim at macOS, using a similar method of downloading a malicious payload from a server, though again the payload itself was not available to view at the time of discovery.
This latest malware appears to take the principle one step further, by attacking both Windows and Mac users using the same file, maximizing the potential infections compared to spreading two separate versions tailored for each operating system.
The new Word macro attack arrives shortly after a number of other malware discoveries targeting Macs. In February, the MacDownloader malware took aim at the US defense industry with a fake Flash update, while another report revealed a Mac strain of Xagent, allegedly created by the same Russian hacking group accused of interfering with the 2016 U.S. presidential election.
Comments
1995 and Mac 0S9 wants its vulnerabilities back.
Metasploit is an open source exploit development framework that could be used to create malware and other tools to attack systems, though it also has a number of legitimate applications in computer security.
Also check out their website, www.metasploit.com. The banner says:
World's most used penetration testing software
When I read that, even though I spent my last eight years at work in cyber security, I see it as a veiled attempt at trying to market security software that really is for generating malware or intrusion software, whether it's used for "nefarious" purposes of not. All penetration software is software created to attack systems. You can try and call it something different, and the FBI, CIA, and especially NSA do all the time, but it is still software used to disable the security of an existing system.
Download Malwarebytes. It's the best mac malware clean up software out there. It's what they use in the Apple Genius Bar at the Apple stores. They have a free version that will clean up your mac really well, and I hear they have a new product coming out that will provide active protection. I'll be buying that as soon as it's available.
Penetration testing software is useful to see if you're vulnerable to common exploits, a bit like regression testing for security.
In fact, security testing framework SHOULD be like software development and have whole testing suite for a huge amount of already "fixed" exploits, just in case you don't reintroduce them by accident. More likely someone outside IT or engineering will be the one reintroducing it...
Virus sofware are a bit like that for computers except for their opacity, prefer rolling my own system wide solution and have it on a loop running from a extremely secure limited access server.
Schwieb
Principal Software Engineer
Office for Apple Platforms
Microsoft Corporation