March 24, 2017 By Douglas Bonderud 2 min read

Things are getting wild for macOS users: Macro malware is on the rise. For Windows users this is old hat, since Word-based macro infections have been making rounds since the early 1990s. The attack vector isn’t terribly complicated: Users receive a document attachment in their email, download it and open it in Word.

They’re then advised to “enable macros,” which are in-program scripts that allow attackers to download malware payloads and infect devices. MacOS users have largely been immune from these threats — until now.

Threatpost noted macro malware for Apple’s OS appeared in February, while Bleeping Computer detailed a new vector that checks which operating system (OS) users are running and then delivers tailor-made Python code. So what’s the word on staying safe in this wild, wild macro world?

Snake in the Grass

Macro malware on Macs has historically been a nonstarter, but once Microsoft rolled out a macOS version of Word, attackers started experimenting. Turns out that Python was the best way in.

As reported by Threatpost piece, cybercriminals created a Word document with embedded macros and a compelling title: “U.S. Allies and Rivals Digest Trump’s Victory — Carnegie Endowment for International Peace.docm.”

Users were asked to enable macros when they tried to open the document which, in turn, bypassed Apple’s vaunted Gatekeeper since users gave permission for macro execution. Next the malware grabbed EmPyre, a legitimate Mac and Linux post-exploitation agent that had been modified for malicious purposes.

By the time researchers tracked down the command-and-control (C&C) server, it had gone offline. However, the likely next step was a second stage EmPyre infection, which would create a persistent backdoor.

Macros on the Rise for MacOS

Malicious actors didn’t stop there. Using Python, they created a new form of macro malware that can infect both Windows and macOS devices. Depending on the OS, the malware sends down differing Python code but produces the same end result: Using modules from Meterpreter to contact a remote C&C server for final payload.

This configuration is certainly a step up in sophistication for macro malware, with merged attack code existing inside the same macro script and able to intelligently execute depending on the system configuration of intended victims. Again, the C&C server was down when researchers arrived, suggesting that this may be a proof-of-concept attack to pave the way for more sophisticated threats.

TechTarget noted, for example, that new macro variants are now able to accurately determine if they’re in sandbox or virtual environments, and can stay dormant to avoid detection. The code achieves this aim by first checking to see if at least three other Word documents have been recently opened. If not, chances are it’s a security sandbox. In addition, the malware obtains host system IP to determine if it’s landed on the servers of a known security research firm or hosting company.

The takeaway? For Windows systems it’s business as usual: Always disable macros and never enable them if the document source isn’t verified. For Mac users this is a wake-up call — macro malware is now an equal opportunity infector.

More from

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today