Malware Targeting MS Word for Apple Mac OS Discovered in the Wild

Macros-based malware attacks targeting Windows machines running Microsoft Word have been proved to be a long-standing and routine threat to PCs. Now, security researchers have discovered attackers developing malicious macros for Word documents on Apple’s Mac platform.

Macros exploitations have long been a staple with Microsoft office programs. Essentially, Macros automates specific tasks through a series of commands and actions. Coded and written in Microsoft’s VBA (Visual Basic for Applications), they are commonly abused my malware authors and cybercriminals for installing malware onto targeted computers. Security researchers are in agreement, recommending users not to enable Macros.

While the vulnerability was frequently exploited by attackers targeting the Window platform, researchers have now discovered the first instance of a malicious macros embedded in a Word document targeting Mac computers.

Discovered by Patrick Wardle, head of research at security firm Synack, a Python-coded macro proceeds to download a malware payload that infects Mac machines, enabling hackers to a sweeping compromise of the targeted victim’s computer. The malware allows hackers to access a user’s browser history, enable the computer’s webcam and dump the keychain to steal credentials.

Wardle writes:

Overall, this malware sample isn’t particularly advanced. IT relies on user interaction (to open a malicious document in Microsoft Word, (not Apple’s Pages)), as well as needs macros to be enabled.

Notably, Mac users are prompted to enable macros in the event of opening the malicious Word document. If the warning is ignored, the embedded macro executes the command to download the payload.

The function, coded in Python, is near identical to an open source Mac post-exploitation agent called EmPyre, which is also found targeting Linux machines.

“It’s kind of a low-tech solution, but on one hand it’s abusing legitimate functionality so it’s not going to crash like a memory corruption or overflow might, and it’s not going to be patched out,” Wardle added.

A geolocating traceback revealed the IP of the malware sender to be in Russia. The same IP has been associated with other malicious activities including phishing attempts.

Image credit: Objective-See.