We shared a research yesterday revealing that hackers are now increasingly targeting macOS since many Apple users assume their devices are secure from any kind of attacks. This assumed sense of security can trick gullible users into downloading suspicious files and even enter their login details on fake system prompts. Another similar report today further confirms that while macOS malware has yet to be as sophisticated as its Windows counterparts, it's quickly trying to catch up.
macOS malware targets Word users replicating Windows attack strategies
For years, spammers and hackers have targeted Windows operating system by using malicious Microsoft Word documents. A new malware that targets macOS has been spotted exploiting the same old Windows technique - exploiting code execution inside Word documents using macros.
The exploit depends on users opening a specially crafted Word document containing macro that silently executes in the background. Security researcher Patrick Wardle spotted one such document titled “U.S. Allies and Rivals Digest Trump’s Victory - Carnegie Endowment for International Peace.”
When opened in Microsoft Word that's configured to allow macros, it carries out its attack on the target system.
The malware first checks to make sure the LittleSnitch security firewall isn't running and downloads an encrypted payload from hs://www.securitychecking.org:443/index.asp. It then proceeds to decrypt the payload using a hard-coded key and executes it.
When the researchers discovered the malicious document, securitychecking.org had stopped serving the payload, so they don't know what exactly was it doing. However, it was taken from EmPyre, which is an open-source exploit framework for Macs. This borrowed component can allow for persistent infections, including monitoring webcams, data stealing and browser access, among other capabilities.
While the malware quality is anywhere from being advanced, the use of Word macros targeting macOS users is still significant. Unsuspecting users often fall for these booby-traps and attackers continue to use this mechanism to infect a large number of Windows computers. As the folks at ArsTechnica pointed out, "malicious macros also power some of the most aggressive strains of ransomware, including one known as Locky."
Wardle concluded that "this malware sample isn't particularly advanced."
It relies on user interaction (to open a malicious document in Microsoft Word, (not Apple's Pages)), as well as needs macros to be enabled. Most users know never to allow macros - right!?! Moreover using an open-source implant likely ensures that detection software should detect it - right!?
While macOS malware is still primitive, stats show people are still easily fooled into downloading malicious documents or clicking on infected links. As Wardle pointed out, "by using a macros in Word document they [attackers] are exploiting the weakest link; humans!"