Latest Posts

New Mac malware detected this week, based on primitive Windows techniques using Word macros

Benjamin Mayo 

Mac security researchers have found two separate instances of new macOS malware making the rounds this week, although the Mac exploit scene still remains far behind the sophisticated worms and trojan horses seen on Windows as noted by ArsTechnica.

One of the new malware exploits relies on an old Windows technique, exploiting code execution inside Word documents using macros. It is believed to be the first of its kind targeted at the Mac platform. Luckily, it’s easy to avoid in large part because it relies on such an old attack vector …

 

The exploit works by having unsuspecting users open a specially-crafted Word document that includes macros that run when the file is opened. Macros were a prevalent attack vector in the Windows world many years ago and it now seems at least one organization is attempting to use the primitive methods on Mac users.

A suspicious Word document is easily identified though. When launched with Microsoft Office (not Pages), a document including macros will prompt the user for permission to execute. Simply pressing ‘Disable Macros’ stops the malicious code from running. If permission is granted, the macros download arbitrary code from a remote server and execute it. This could include key logging, webcam monitoring, fetching browser history and more. In this particular case, researchers found the exploit in a file called ‘U.S. Allies and Rivals Digest Trump’s Victory’ but naturally the subject matter is largely irrelevant.

Given how primitive an attack it is, it’s hard to see how many people will be fooled into allowing the macro to do the bad stuff. Even the Office popup recommends the ‘Disable Macro’ option with clear warnings about viruses. However, the exploit makers know they only need a small proportion of people to press ‘Enable Macros’ to make it worth their time.

macdownloader-complete

The other instance of malware found this week relied on another classic Windows tactic, faking a common software update dialog which downloads malicious code rather than the genuine application. Researchers show how the MacDownloader virus presents itself as an Adobe Flash Player update.

In reality, it harvests user Keychain, phishes for usernames and passwords and collects other private sensitive data it can find. It then sends this data back to a remote location where the malware maker can use it however they please.

This attack is more sophisticated than the Word macros case, but still relatively straightforward. It relies on people clicking on a link to update their Flash Player plugin from a website, and then running the downloaded file. To avoid this kind of attack, always check for updates using the system tools (like Software Update) or visiting the plugin site directly. In the modern age we live in, it may be wise to uninstall Flash completely — it’s a very common attack vector.

Mac viruses remain a rare occurrence but common sense goes a long way to avoiding this kind of stuff. Never let Word documents from unknown sources run macros and never download updates for software from random websites on the Internet.