Hackers are menacing Apple Mac users with Word documents laced with malicious macros that install malware.
Security researchers spotted a rash of poisonous files doing the rounds earlier this week, one of which was titled "U.S. Allies and Rivals Digest Trump's Victory – Carnegie Endowment for International Peace.docm." Apple fans who opened the document on a Mac are prompted to enable macros.
If enabled, the file executes a function, coded in Python, that downloads a malware payload to infect the machine. The Python code is taken from the open-source EmPyre project, a pure Python post-exploitation agent. The tactic is used to push persistent malware onto compromised Macs.
The IP address from which the documents were spread is geo-located in Russia and has previously been associated with malicious activities such as phishing, according to a write-up by security researcher Patrick Wardle.
"Overall this malware sample isn't particularly advanced. It relies on user interaction (to open a malicious document in Microsoft Word (not Apple's Pages)), as well as needs macros to be enabled," Wardle concludes, adding that the reliance on macros rather than a software vulnerability means that the exploit can't be blocked by patching systems.
Separately, security researchers have spotted macOS malware targeting the defense industry, and reported elsewhere to have been used against a human rights advocate. The MacDownloader nasty attempts to pose as both an installer for Adobe Flash and the Bitdefender Adware Removal Tool.
Researchers reckon the malware is a work in progress – still lacking the ability to survive a reboot on infected systems (ie, persistence) – and is ultimately geared towards extracting data from compromised systems. The Iranian hackers suspected in the Mac raid have previously developed Windows and Android keystroke-logging and data exfiltrating spyware.
The Word macro malware only works on Mac computers. "The malware attempts to load a Mac-specific library [but] it would be trivial to make this cross-platform," security researcher Patrick Wardle told El Reg.
The nasty represents a rare example of Mac OSX malware and an even rarer example of using Word macros to attack Apple fans. "While Word documents with malicious macros on Windows is old news, recently we've seen a big uptick in them. It's only natural that eventually attackers figured out that they could target Mac users in this same manner," Wardle added. ®