March 24, 2017 By Douglas Bonderud 2 min read

Things are getting wild for macOS users: Macro malware is on the rise. For Windows users this is old hat, since Word-based macro infections have been making rounds since the early 1990s. The attack vector isn’t terribly complicated: Users receive a document attachment in their email, download it and open it in Word.

They’re then advised to “enable macros,” which are in-program scripts that allow attackers to download malware payloads and infect devices. MacOS users have largely been immune from these threats — until now.

Threatpost noted macro malware for Apple’s OS appeared in February, while Bleeping Computer detailed a new vector that checks which operating system (OS) users are running and then delivers tailor-made Python code. So what’s the word on staying safe in this wild, wild macro world?

Snake in the Grass

Macro malware on Macs has historically been a nonstarter, but once Microsoft rolled out a macOS version of Word, attackers started experimenting. Turns out that Python was the best way in.

As reported by Threatpost piece, cybercriminals created a Word document with embedded macros and a compelling title: “U.S. Allies and Rivals Digest Trump’s Victory — Carnegie Endowment for International Peace.docm.”

Users were asked to enable macros when they tried to open the document which, in turn, bypassed Apple’s vaunted Gatekeeper since users gave permission for macro execution. Next the malware grabbed EmPyre, a legitimate Mac and Linux post-exploitation agent that had been modified for malicious purposes.

By the time researchers tracked down the command-and-control (C&C) server, it had gone offline. However, the likely next step was a second stage EmPyre infection, which would create a persistent backdoor.

Macros on the Rise for MacOS

Malicious actors didn’t stop there. Using Python, they created a new form of macro malware that can infect both Windows and macOS devices. Depending on the OS, the malware sends down differing Python code but produces the same end result: Using modules from Meterpreter to contact a remote C&C server for final payload.

This configuration is certainly a step up in sophistication for macro malware, with merged attack code existing inside the same macro script and able to intelligently execute depending on the system configuration of intended victims. Again, the C&C server was down when researchers arrived, suggesting that this may be a proof-of-concept attack to pave the way for more sophisticated threats.

TechTarget noted, for example, that new macro variants are now able to accurately determine if they’re in sandbox or virtual environments, and can stay dormant to avoid detection. The code achieves this aim by first checking to see if at least three other Word documents have been recently opened. If not, chances are it’s a security sandbox. In addition, the malware obtains host system IP to determine if it’s landed on the servers of a known security research firm or hosting company.

The takeaway? For Windows systems it’s business as usual: Always disable macros and never enable them if the document source isn’t verified. For Mac users this is a wake-up call — macro malware is now an equal opportunity infector.

More from

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

DOD establishes Office of the Assistant Secretary of Defense for Cyber Policy

2 min read - The federal government recently took a new step toward prioritizing cybersecurity and demonstrating its commitment to reducing risk. On March 20, 2024, the Pentagon formally established the new Office of the Assistant Secretary of Defense for Cyber Policy to supervise cyber policy for the Department of Defense. The next day, President Joe Biden announced Michael Sulmeyer as his nominee for the role.“In standing up this office, the Department is giving cyber the focus and attention that Congress intended,” said Acting…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today