Mac Malware Reportedly First To Infect Machines Using Macros
Researchers have identified what they believe is the first in-the-wild instance of hackers using malicious macros in Word documents to execute malware on Mac computers, instead of Windows-based machines.
Patrick Wardle, director of research at the cybersecurity company Synack, reported in a blog post this week that multiple Mac security researchers, admins, and malware experts collectively analyzed a newly discovered malicious Word documentwith the file name “ U.S. Allies and Rivals Digest Trump' s Victory - Carnegie Endowment for International Peace.docm” .
Recipients who open this document and choose to enable macros on the resulting pop-up, are infected with embedded python code that is virtually identical to EmPyre, an open source Mac and Linux post-exploitation agent.
Despite serving a legitimate purpose &ndash the automation of tasks &ndash macros are often abused by developers of Windows-based malware, who have long banked on the fact that users either enable macros by default or dismisswarnings to disable them.
“ Using Word macros as an infection vector exploits the weakest link: humans,” said Wardle, in an email interview with SC Media. “ As operatingsystems and applications become harder to exploit (due to more secure coding practices, built-in exploitation mitigations, etc.), humans remain the constant.
Other reasons macros make popular cyberweapons: they work across platforms, and “ as legitimate functionality, can' t be fixed by a patch from the vendor,” Wardle added.
After performing a systems check for Little Snitch &ndash Mac OS X' s host-based application firewall product &ndash the malware downloads a second-stage component that maintains persistence on infected machines. This component can run a variety of modules that are capable of operating a victim' s webcam, dumping the keychain and viewing a user' s browser history, among other malicious activities.
The command-and-control server from which this persistence module which downloaded is located in Russia and has a reputation for hosting phishing attacks, Wardle continued. (Presumably, phishing is the malicious Word document' s method of distribution.)
Comments ( 0 )
No comments available