March 24, 2017 By Douglas Bonderud 2 min read

Things are getting wild for macOS users: Macro malware is on the rise. For Windows users this is old hat, since Word-based macro infections have been making rounds since the early 1990s. The attack vector isn’t terribly complicated: Users receive a document attachment in their email, download it and open it in Word.

They’re then advised to “enable macros,” which are in-program scripts that allow attackers to download malware payloads and infect devices. MacOS users have largely been immune from these threats — until now.

Threatpost noted macro malware for Apple’s OS appeared in February, while Bleeping Computer detailed a new vector that checks which operating system (OS) users are running and then delivers tailor-made Python code. So what’s the word on staying safe in this wild, wild macro world?

Snake in the Grass

Macro malware on Macs has historically been a nonstarter, but once Microsoft rolled out a macOS version of Word, attackers started experimenting. Turns out that Python was the best way in.

As reported by Threatpost piece, cybercriminals created a Word document with embedded macros and a compelling title: “U.S. Allies and Rivals Digest Trump’s Victory — Carnegie Endowment for International Peace.docm.”

Users were asked to enable macros when they tried to open the document which, in turn, bypassed Apple’s vaunted Gatekeeper since users gave permission for macro execution. Next the malware grabbed EmPyre, a legitimate Mac and Linux post-exploitation agent that had been modified for malicious purposes.

By the time researchers tracked down the command-and-control (C&C) server, it had gone offline. However, the likely next step was a second stage EmPyre infection, which would create a persistent backdoor.

Macros on the Rise for MacOS

Malicious actors didn’t stop there. Using Python, they created a new form of macro malware that can infect both Windows and macOS devices. Depending on the OS, the malware sends down differing Python code but produces the same end result: Using modules from Meterpreter to contact a remote C&C server for final payload.

This configuration is certainly a step up in sophistication for macro malware, with merged attack code existing inside the same macro script and able to intelligently execute depending on the system configuration of intended victims. Again, the C&C server was down when researchers arrived, suggesting that this may be a proof-of-concept attack to pave the way for more sophisticated threats.

TechTarget noted, for example, that new macro variants are now able to accurately determine if they’re in sandbox or virtual environments, and can stay dormant to avoid detection. The code achieves this aim by first checking to see if at least three other Word documents have been recently opened. If not, chances are it’s a security sandbox. In addition, the malware obtains host system IP to determine if it’s landed on the servers of a known security research firm or hosting company.

The takeaway? For Windows systems it’s business as usual: Always disable macros and never enable them if the document source isn’t verified. For Mac users this is a wake-up call — macro malware is now an equal opportunity infector.

More from

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today