March 24, 2017 By Douglas Bonderud 2 min read

Things are getting wild for macOS users: Macro malware is on the rise. For Windows users this is old hat, since Word-based macro infections have been making rounds since the early 1990s. The attack vector isn’t terribly complicated: Users receive a document attachment in their email, download it and open it in Word.

They’re then advised to “enable macros,” which are in-program scripts that allow attackers to download malware payloads and infect devices. MacOS users have largely been immune from these threats — until now.

Threatpost noted macro malware for Apple’s OS appeared in February, while Bleeping Computer detailed a new vector that checks which operating system (OS) users are running and then delivers tailor-made Python code. So what’s the word on staying safe in this wild, wild macro world?

Snake in the Grass

Macro malware on Macs has historically been a nonstarter, but once Microsoft rolled out a macOS version of Word, attackers started experimenting. Turns out that Python was the best way in.

As reported by Threatpost piece, cybercriminals created a Word document with embedded macros and a compelling title: “U.S. Allies and Rivals Digest Trump’s Victory — Carnegie Endowment for International Peace.docm.”

Users were asked to enable macros when they tried to open the document which, in turn, bypassed Apple’s vaunted Gatekeeper since users gave permission for macro execution. Next the malware grabbed EmPyre, a legitimate Mac and Linux post-exploitation agent that had been modified for malicious purposes.

By the time researchers tracked down the command-and-control (C&C) server, it had gone offline. However, the likely next step was a second stage EmPyre infection, which would create a persistent backdoor.

Macros on the Rise for MacOS

Malicious actors didn’t stop there. Using Python, they created a new form of macro malware that can infect both Windows and macOS devices. Depending on the OS, the malware sends down differing Python code but produces the same end result: Using modules from Meterpreter to contact a remote C&C server for final payload.

This configuration is certainly a step up in sophistication for macro malware, with merged attack code existing inside the same macro script and able to intelligently execute depending on the system configuration of intended victims. Again, the C&C server was down when researchers arrived, suggesting that this may be a proof-of-concept attack to pave the way for more sophisticated threats.

TechTarget noted, for example, that new macro variants are now able to accurately determine if they’re in sandbox or virtual environments, and can stay dormant to avoid detection. The code achieves this aim by first checking to see if at least three other Word documents have been recently opened. If not, chances are it’s a security sandbox. In addition, the malware obtains host system IP to determine if it’s landed on the servers of a known security research firm or hosting company.

The takeaway? For Windows systems it’s business as usual: Always disable macros and never enable them if the document source isn’t verified. For Mac users this is a wake-up call — macro malware is now an equal opportunity infector.

More from

How to calculate your AI-powered cybersecurity’s ROI

4 min read - Imagine this scenario: A sophisticated, malicious phishing campaign targets a large financial institution. The attackers use emails generated by artificial intelligence (AI) that closely mimic the company's internal communications. The emails contain malicious links designed to steal employee credentials, which the attackers could use to gain access to company assets and data for unknown purposes.The organization's AI-powered cybersecurity solution, which continuously monitors network traffic and user behavior, detects several anomalies associated with the attack, blocks access to the suspicious domains…

Being a good CLR host – Modernizing offensive .NET tradecraft

14 min read - The modern red team is defined by its ability to compromise endpoints and take actions to complete objectives. To achieve the former, many teams implement their own custom command-and-control (C2) or use an open-source option. For the latter, there is a constant stream of post-exploitation tooling being released that takes advantage of various features in Windows, Active Directory and third-party applications. The execution mechanism for this tooling has, for the last several years, relied heavily on executing .NET assemblies in…

The current state of ransomware: Weaponizing disclosure rules and more

4 min read - As we near the end of 2024, ransomware remains a dominant and evolving threat against any organization. Cyber criminals are more sophisticated and creative than ever. They integrate new technologies, leverage geopolitical tensions and even use legal regulations to their advantage.What once seemed like a disruptive but relatively straightforward crime has evolved into a multi-layered, global challenge that continues to threaten businesses and governments alike.Let’s take a look at the state of ransomware today. We’ll focus on how cyber criminals…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today