Researchers discovered Word Macro Malware targeting Mac Users
Macs are not the primary target of hackers, hence there are very few malware targeting Mac users. It does not mean that Mac users are safe. The newly discovered Malware for Mac shows how Mac users are at serious risk.
Security researchers have found two separate instances of MacOS malware that relies on old Windows Macro malware technique.
Macros are not a new concept but have been in existence since 1990. Macro is a series of commands and actions used to automate tasks in Microsoft Office programs. Until now, hackers have cleverly used this technique to target Windows users
To target users, attackers are sending a malicious Microsoft Word abusing macros, titled “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace.” If the user opens the document in world application configured to allow macros and ignore the warning, the malicious macro checks that the LittleSnitch security firewall is not running.
Then it downloads an encrypted payload, decrypt it and execute it in the system.
According to the blog post published by Patrick Wardle, director of research at security firm Synack, this exploit is very identical to EmPyre – an open source Mac and Linux post-exploitation agent.
Wardle also tracked the IP address used to send this document and the IP details confirm that the malicious Word documents were being sent from Russia. Previously, This IP has also been associated with malicious activities like phishing attacks.
The other malware instance discovered this week also relies on classic Windows tactics by faking regular software update. This fake software update dialog box downloads malicious code in the system.
Once the user performs any action on the dialog box, the software gets the green signal to harvest user keychain, phish usernames and passwords, collect private and sensitive data, and then send them back to attackers.
The best way to keep your system safe us just by denying the permission to enable macros from running when opening a suspicious Word document or avoiding the software download from unknown sources.