March 24, 2017 By Douglas Bonderud 2 min read

Things are getting wild for macOS users: Macro malware is on the rise. For Windows users this is old hat, since Word-based macro infections have been making rounds since the early 1990s. The attack vector isn’t terribly complicated: Users receive a document attachment in their email, download it and open it in Word.

They’re then advised to “enable macros,” which are in-program scripts that allow attackers to download malware payloads and infect devices. MacOS users have largely been immune from these threats — until now.

Threatpost noted macro malware for Apple’s OS appeared in February, while Bleeping Computer detailed a new vector that checks which operating system (OS) users are running and then delivers tailor-made Python code. So what’s the word on staying safe in this wild, wild macro world?

Snake in the Grass

Macro malware on Macs has historically been a nonstarter, but once Microsoft rolled out a macOS version of Word, attackers started experimenting. Turns out that Python was the best way in.

As reported by Threatpost piece, cybercriminals created a Word document with embedded macros and a compelling title: “U.S. Allies and Rivals Digest Trump’s Victory — Carnegie Endowment for International Peace.docm.”

Users were asked to enable macros when they tried to open the document which, in turn, bypassed Apple’s vaunted Gatekeeper since users gave permission for macro execution. Next the malware grabbed EmPyre, a legitimate Mac and Linux post-exploitation agent that had been modified for malicious purposes.

By the time researchers tracked down the command-and-control (C&C) server, it had gone offline. However, the likely next step was a second stage EmPyre infection, which would create a persistent backdoor.

Macros on the Rise for MacOS

Malicious actors didn’t stop there. Using Python, they created a new form of macro malware that can infect both Windows and macOS devices. Depending on the OS, the malware sends down differing Python code but produces the same end result: Using modules from Meterpreter to contact a remote C&C server for final payload.

This configuration is certainly a step up in sophistication for macro malware, with merged attack code existing inside the same macro script and able to intelligently execute depending on the system configuration of intended victims. Again, the C&C server was down when researchers arrived, suggesting that this may be a proof-of-concept attack to pave the way for more sophisticated threats.

TechTarget noted, for example, that new macro variants are now able to accurately determine if they’re in sandbox or virtual environments, and can stay dormant to avoid detection. The code achieves this aim by first checking to see if at least three other Word documents have been recently opened. If not, chances are it’s a security sandbox. In addition, the malware obtains host system IP to determine if it’s landed on the servers of a known security research firm or hosting company.

The takeaway? For Windows systems it’s business as usual: Always disable macros and never enable them if the document source isn’t verified. For Mac users this is a wake-up call — macro malware is now an equal opportunity infector.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today