A new malware targeting Mac users was detected recently in a Microsoft Word document titled “US Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace.”
The malware-infected file attempts to use an automatically running macro vulnerability to manifest itself.
It is reported that when Mac users attempted to open the document in Word calibrated to allow macros, the malware would attempt to carry out its attack on the computer.
The Word macro warning alerts potential victims that macros could pose a malware threat to their Mac and offers the option to go ahead and open the file with or without macros, or to avoid opening the document altogether.
The malware first ensures that LittleSnitch security firewall is not running before downloading an encrypted second-stage payload.
It proceeds to decrypts the payload and executes its contents. The python script itself is obtained from an open source, EmPyre, with the code used, according to experts, virtually verbatim.
By the time specialists had started tracking the document and its origin, the payload download site was no longer functional, crippling any attempts to tell what exactly would have happened had the malware attack gone through.
However, since it was taken from EmPyre – an open source framework for Mac PCs with a similar code – experts studied it and inferred that the malware would be persistent on the victim’s computer, automatically run after a reboot, and executes commands based on EmPyre modules. It could presumably allow for browser access, data stealing, clipboard tracking, and webcam monitoring.
Mac users are not as regularly attacked by hackers as their Windows-using counterparts, and this is partly down to Apple’s sophisticated encryption, but also because the American company holds a pretty lesser share of the PC market.
According to recent researches, however, cyber crooks are shifting their focus to Mac OS X users, hoping to catch them on the hop with ingeniously crafted strategies.
The sense of security that comes with Mac OS lulls users into downloading files without checking authenticity and even entering login credentials on fake replica system prompts.
According to renowned security researcher Patrick Wardle of Synack, the malware isn’t exactly “sophisticated” as it allows for an interaction from potential victims for activation and requires macros to be enabled.
However, he gave credit to creators of the file for using the weakest security link and capitalizing on the “legitimate functionality” of macros, which makes it a vector that doesn’t pose the risk of crashing the system or being patched out.
Looking back on the evolution of PC malware, document-embedded malware belongs in an era that dates back three decades, and was largely used to attack Windows’ users.
The Melissa Virus of 1999 came in a word document as well, spreading quite fast, as a copy of the file would automatically be sent to a number of the victim’s contacts, most of whom would fall for the trap.
The malware in the “US Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace” Word document also happens to come at the same as another malware that experts have termed as poorly written and unsophisticated. It targets Mac users as well, and comes disguised as a Flash Player update.
The creators’ objective, as interpreted by specialists, was to take advantage of Flash Player’s reputation of being annoyingly persistent to prompt users to accept the “update” in a bid to get rid of the popups once and for all.
It would then harvest user keychain, obtain login credentials and collect other private and sensitive data before sending them back to the attacker.
This malware has been regarded as more sophisticated than the former, but is still primitive if measured up against malware that Windows users have to endure.
This is largely because they haven’t found a way to inject malware into a Mac user’s system without counting on their carelessness in downloading and accepting files.
The back-to-back attacks may seem like an uncovering on Mac OS X’s security system, but they actually go to consolidate Apple’s position as a leader in the malware defense facet.
No official statement has been issued by Apple regarding the malware attacks thus far, but users have been warned to beware of the new trick.