Welcome to the age of targeted attacks, Mac users. Perhaps having grown tired of owning Windows machines around the world for the last few years, attackers in China now have taken up the challenge of going after Macs with the same kind of targeted attack tactics that have served them so well in the Windows world.
Researchers have found a new attack that employs two separate pieces of malware, a malicious Word document and some techniques for maintaining persistence on compromised machines, and the campaign is specifically targeted at Mac users. The command-and-control domain involved in the attack is located in China and the attack exploits a three-year-old vulnerability in the way that Office for Mac handles certain Word files, according to researchers at AlienVault, who discovered and analyzed the attacks.
“A remote code execution vulnerability exists in the way that Microsoft Office Word handles a specially crafted Word file that includes a malformed record. An attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. When the victim opens the malicious Word file using Office for Mac, the shellcode writes the malicious payload on disk and executes it, and then opens a benign office file,” Jaime Blasco of AlienVault wrote in an analysis of the attacks.
The content of the Word file is a rambling letter addressed to the United Nations Human Rights Commission and discussing the anniversary of the Tibetan uprising against China. Once the Word file is opened, the initial payload of the malware executes and copies itself to memory. The second stage then executes and some files are copied to the /tmp/ folder and then executes a script.
Then, a pair of document files drop a Mac Trojan that AlienVault discovered earlier this month that uses a C&C server based in New York. After that the malware installs a second Trojan that was previously unknown and uses a China-based server for command and control.
“The second trojan found is a new one never seen. We have found several versions compiled for different architectures (ppc, i386..) .We have also found a version that has paths to debugging symbols. So the group seems to have a project called ‘longgege’ and the actual trojan is named ‘MacControl’ by them,” Blasco said.
The Trojan will be executed every time the computer starts and has the ability to listen for new commands from the C&C server.
This is one of the few known targeted attack campaigns that has specifically gone after Mac users and it follows closely on the heels of a series of spear phishing attacks that targeted Tibetan non-governmental organizations last week. Those attacks employed similar tactics to the current Mac attacks and used a Java exploit and researchers said they might have been tied to the same group that initiated the infamous GhostNet attacks several years ago.