Apple Users Beware: This Malware Uses MS Word to Infect macOS

Apple Users Beware: This Malware Uses MS Word to Infect macOS

Written by / Courtesy of Hongkiat.com

Macro-based attacks stemming from malicious Microsoft Word documents have existed for a while now as it is still considered one of the most effective ways to compromise a Windows machine. Now, it appears that this form of attack is making its way to the Mac as well.

Security researchers have managed to identify such an attack on a Mac device by way of a Word file titled “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace”. Hidden inside the file is an embedded macro that can be triggered if a user opens the document in a Word application that has been configured to allow macros.

If the user decides to open the file despite the warning that flashes up when opening it, the embedded macro would proceed to check if the LittleSnitch security firewall is running. If it isn’t, the macro would then download an encrypted payload from securitychecking.org. Once the download is complete, the macro would then decrypt the payload using a hard-coded key, followed by the execution of the payload.

According to security researchers, the Python-based code found in the macro is almost a direct copy of a known open-source exploit framework for Mac called EmPyre. While researchers are unable to get their hands on the payload that securitychecking.org was serving, the EmPyre components means that the macro could potentially be used to monitor webcams, steal passwords and encryption keys stored in a keychain, and access browsing histories.

This malicious Word file marks the first time someone has attempted to compromise a Mac via macro abuse. While the malware isn’t particularly advance, there is no denying that macros are still highly effective when it comes to compromising a machine. Mac users should probably be extra vigilant when it comes to Word files from now on.

Source: Ars Technica

Read the original article over at Hongkiat.com.