For quite some time now, it has become clearer and clearer that Mac users need to dispense with any notion that they’re safe from the attentions of cybercriminals, and the emergence of the first macro-based Word document attack aimed against Apple’s platform has underlined this truth.
On Windows systems, malware-loaded macros hidden in documents of one sort or another have long been a way of infecting careless users who are happy to open suspicious looking attachments they get emailed, but this is the first real-world attack to infect Mac computers, as Ars Technica (opens in new tab) observes.
This particular payload is tucked away within a Word document which is entitled: ‘U.S. Allies and Rivals Digest Trump's Victory - Carnegie Endowment for International Peace.’
As well as opening the file, you also have to ignore a prompt to disable macros, warning that macros may contain viruses etc. But generally speaking, there are always foolish users willing to do so, or who don’t read things properly, particularly if the malware-bearing document is temptingly named and they can’t wait to see the contents.
According to Ars, the malware itself is relatively unsophisticated, and simply employs code grabbed from an open source exploit framework for the Mac – which subsequently triggers the actual payload from a command and control server, but the latter was no longer in use by the time security experts were dissecting this.
In other words, it’s not known exactly what the malware was trying to do, but it was likely to be the usual stuff – password or webcam snooping and the like.
The most significant part of this attack is simply the fact that it’s the first time macros have been abused like this on macOS, and doubtless there’s more to come along these lines.
Patrick Wardle, director of research at security outfit Synack, made the initial post and subsequent investigation into the malware, and commented (opens in new tab): “Let's be nice and give the attackers some credit. By using a macros in Word document they are exploiting the weakest link; humans!”
He added: “And moreover since macros are 'legitimate' functionality (vs. say a memory corruption vulnerability) the malware's infection vector doesn't have to worry about crashing the system nor being 'patched' out.”
This development comes as another piece of macOS malware, called MacDownloader, was discovered earlier this week. In this case, it’s believed this was the work of Iranian hackers targeting the US defense industry, with the malware wrapped up in a fake installer. When executed, it makes off with system info and keychain data.
Clearly, more malware is being targeted at the Mac, and adapted from other platforms to hit Apple’s computers. Indeed, last autumn we saw the Mokes malware – which had previously plagued Windows and Linux systems – arrive in a Mac flavor. That one is a particularly nasty strain which opens up backdoor functionality to let the attacker do all manner of things to your computer or notebook.
- Turn your head to a Chromebook for the ultimate in security