Satisnet Ltd, Basepoint Innovation Centre, 110 Butterfield Great Marlings, Luton, Bedfordshire, LU2 8DL
+44 (0) 1582 434320

MAC OSX - Macro Based Malware

MAC OSX - Macro Based Malware

MAC OSX - Macro Based Malware

Mac users are always prompted to enable macros so this new vulnerability found in macOS will most likely have a success rate if users fall for it. Users can be targeted anytime, similar to why Ransomware has become so successful.

How it works

The word document is laced with a malicious macro that only executes on macOS. It uses scripts similar to Windows-based attacks where the subject line has a luring subject line to entice the user.

Once the user tries to open the document they are faced with a dialogue box that seems very legit to a day-to-day user. Once the macro is enabled, a payload is executed which attempts to download more code from the attackers site.

Macros Warning

The attack only works on Mac versions of Word. Attempts were made using similar mac based productivity software but failed. Although the office popup recommends the ‘Disable Macro’ option with clear warning about viruses, a small proportion of users will press ’Enable Macro’ which is all the exploit makers need.

It also sidesteps Apple’s Gatekeeper protection which blocks unsigned code from executing; macros will execute since they’re given permission to do so by the user.

Once enabled, the macro decodes data and executes it via Python from an open source project called EmPyre. (EmPyre is a legitimate open source Mac and Linux post-exploitation agent often used in penetration testing engagements.)

The attackers embedded a first stage component of EmPyre into the Word document and its sole purpose was to call out to the command infrastructure at securitychecking[.]org[:]443/index[.]asp for the second stage.

Securitychecking[.]org has been previously associated with cybercrime activities such as phishing and other malware downloads.

The second stage is a persistent Mac backdoor that allows for a number of malicious capabilities, including:

  • Modules fro grabbing browser history
  • Turning on the webcam
  • Keylogging
  • Dumping of hashes

Affected Systems

The attack works against any macOS with Microsoft Word installed.

Mac Vulnerabilities

Mac OS X Malware Volume

Vulnerabilities Graph

Sourced from Symantec (2016)