A new piece of malware that targets macOS appears to be the first one that includes one of the favorite tricks of Windows malware authors: the use of macros.
The malware, discovered recently by researchers, is delivered through the use of a rigged Microsoft Word document that is disguised as an analysis of America’s allies’ reaction to the presidential election. The name of the document–“U.S. and Allies Digest Trump’s Victory–Carnegie Endowment for International Peace”–is designed to entice victims into opening it, and if they do, they will be presented with a warning that the document contains macros.
Windows users have been warned for years to disable macros by default because malware authors have long used that feature to get their malicious creations to run automatically. Owners of Macs aren’t necessarily used to seeing malware quite as often, so if they see a dialog box talking about macros, they could be more apt to go ahead and enable them. In the case of the new macOS malware, once a victim opens the malicious document and enables macros, the malware begins a series of functions.
“So whenever a user opens this document on Mac, in Word, (assuming macros have been/are enabled), the Fisher function will automatically be executed,” Patrick Wardle, a Mac security researcher who analyzed the malware in conjunction with several other researchers, said in his analysis. “The Fisher function decodes a base64 chunk of data (stored in the cmd variable) then executes it via python.”
That python code performs a number of operations, including downloading and decrypting a second stage payload from a remote server, and then executing it. What the malware downloads is the EmPyre post-exploitation agent, an open-source tool.
“As mentioned above, the goal of the first stage python code is to download and execute a second stage component from https://www.securitychecking.org:443/index.asp. Unfortunately this file is now inaccessible. However, this file was likely just the second-stage component of Empyre (though yes, the attackers could of course download and executed something else),” Wardle said.
“The second-stage component of Empyre is the persistent agent that affords a remote attacker continuing access to an infected host.”
The persistence module included in EmPyre allows the attacker to take a number of different actions on a machine infected by the macOS malware, including accessing the browser history and downloading the user’s keychain. Wardle said that despite its novelty, this macOS malware isn’t the most sophisticated thing on the scene.
“Overall this malware sample isn’t particularly advanced. It relies on user interaction (to open a malicious document in Microsoft Word, (not Apple’s Pages)), as well as needs macros to be enabled,” he said.