Macro Malware Comes to macOS

Cybercriminals have developed macro malware for the macOS, the first time this technique has been spotted on the Apple platform.

Macro-based malware has crossed the divide between the Windows and Mac platforms.

A cybercrime group whose command and control infrastructure resolves to an IP address geo-located in Russia is using a Word document laced with a malicious macro that executes solely on macOS.

Following the same script as similar Windows-based attacks, the attached documents have a luring subject line, in this case: “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace.docm.” Once a user tries to open the attachment, they’re presented with a familiar dialogue box instructing them that macros must be enabled to view the document. If the macro is enabled, it executes its payload which then tries to download more code from the attacker’s site.

Mac malware macros

“It’s kind of a low-tech solution, but on one hand it’s abusing legitimate functionality so it’s not going to crash like a memory corruption or overflow might, and it’s not going to be patched out,” said Patrick Wardle, director of research at Synack. Wardle and a number of other researchers, analyzed the behavior of the macros and payload and published a report Monday.

“It’s low tech but it’s going to have a high success rate if people fall for it,” Wardle said. “Anytime you can target users; that’s why ransomware is so successful. That’s why macros work. They’re definitely the weakest link in my opinion.”

The attack works only on Mac versions of Word (attempts to execute on Windows or Pages, Mac-based productivity software similar to Word, failed). It also sidesteps Apple’s Gatekeeper protection which blocks unsigned code from executing; macros will execute since they’re given permission to do so by the user.

Once enabled, the macro decodes data and executes it via Python from an open source project called EmPyre. EmPyre is a legitimate open source Mac and Linux post-exploitation agent often used in penetration testing engagements. The attackers embedded a first stage component of EmPyre into the Word document and its sole purpose was to call out to the command infrastructure at securitychecking[.]org[:]443/index[.]asp for the second stage. The site, however, has gone dark so the researchers cannot be sure of exactly what the second stage was, but it’s likely the remaining EmPyre components.

“I see no reason why the attackers would use just one stage and not the other, especially when the first stage expects the second stage to be encrypted with a certain RC4,” Wardle said. “It’s possible that their code once it executes in the Word document could download and execute anything, but it’s very likely they’re going to download that second piece of the EmPyre agent.”

The second stage of EmPyre, Wardle said, is a persistent Mac backdoor that allows for a number of malicious capabilities, including modules for grabbing browser history, turning on the webcam, keylogging and dumping of hashes.

“From a hacker’s point of view, there’s this great open source module out there with all these different plugins, why not just use that,” Wardle said. “I think that’s what they did.”

It’s unknown who the attackers are behind this campaign, but it’s more than likely a cybercrime outfit given the use of macros and of an available open source tool. As for the securitychecking[.]org, it’s been previously associated with cybercrime activities such as phishing and other malware downloads.

“It looks like it’s some standard cybercriminal stuff. It’s not particularly advanced, they just spray it out there and see how many targets they can get,” Wardle said. “It’s not incredibly sophisticated but it if it works… Look at most ransomware attacks, they’re not using 0days, and it’s becoming an epidemic.”

Suggested articles

Hey Alexa, Who Am I Messaging?

Research shows that microphones on digital assistants are sensitive enough to record what someone is typing on a smartphone to steal PINs and other sensitive info.


  • Mike Litoris on

    So the vulnerability isn't is macOS, but in software distributed by Microsoft for macOS? It's not like that's happened before. /sarcasm
  • Richard Mathers on

    First, you don't have to think is he ignorant of the internet and security issues. I going to declare that I am ignorant of these issues. Second, I don't want to become an expert in these issues. Third, I do research on social welfare issues and I want a software program that provides the security I need. Fourth, I "don't" want a security software program that constantly asks me to make decisions that I have no way of knowing what the decision means. So Fifth, what the hell happens when I "Hide Certificate?" Increases my security and just allows me to collect malware. Next Sixth, Why would I chose to select "Connect" when you note there might be a malware problem? Now Seventh. Why not give me the option of informing you I want to use this site and so can you inform them of a "Certificate" issue or program a message to them saying this person wants to use your site but because of X,Y and/or Z they aren't comfortable using it. With this knowledge they just might correct it! Lastly, I have probably suggested something stupid or not done. If so please let me know. Rich Mathers

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.