Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Microsoft Word macro malware automatically adapts attack techniques for macOS, Windows

A form of Word macro-based malware has been uncovered that can affect both macOS and Windows users when executed, with the malicious file modifying its attack method depending on which operating system it detects it is being run within.

The Word file, discovered on March 16 by FortiGuard Labs, contains a macro using Visual Basic for Applications (VBA) code, which runs automatically once the file is opened. In the event the user has disabled macros in Microsoft Office, or is previewing it online, the file contains an image that tries to convince the user to download the document and enable macros.

When executed, the macro reads and decodes base 64-encoded data stored in the file's "comments" property. This code turns out to be a python script that attempts to detect the operating system the file is opened inside, running one of two different functions depending on if the host system is running macOS or Windows.

Researchers Xiaopeng Xhang and Chris Navarrete note this VBA code is a slightly modified version of an existing Metasploit framework. Metasploit is an open source exploit development framework that could be used to create malware and other tools to attack systems, though it also has a number of legitimate applications in computer security.

If macOS is detected, another python script is run which again extracts code from a base64-encoded string, which then downloads and executes a file from a specific URL. The downloaded "meterpreter" file is another python script, again modified from the Metasploit framework, used as a dynamically extensible payload that can run commands provided by a server.

The payload is shown to connect to a host through port 443, in order to get more commands or to download more payload files. The researchers note that attempts to connect to the server failed, with it failing to answer client requests, though the python process used to establish the connection to the server continues trying to get a response despite the failure, persisting in the hope it can reach the server at a later time.

Malware code used to run specific functions based on the detected operating system Malware code used to run specific functions based on the detected operating system

In the event the macro runs in Windows, a similar function is called just for that operating system, this time using base 64-encoded code to run PowerShell, which is then used to decompress and execute another PowerShell script. This latter script downloads a 64-bit DLL file, which is then used to try and communicate with a server for extra instructions.

While in both cases the malware doesn't directly harm or leak any data, infected systems are left in a state awaiting further instruction from an online server. If left unchecked, this could result in more malicious code being downloaded that could cause more damage to a user's data, such as by installing ransomware or accessing the user's Keychain, or even use the infected system for other nefarious purposes.

Word macros are well known as a possible attack vector for malware, with the relatively old technique largely used to infect Windows users. In February, researchers discovered a version of macro malware that took aim at macOS, using a similar method of downloading a malicious payload from a server, though again the payload itself was not available to view at the time of discovery.

This latest malware appears to take the principle one step further, by attacking both Windows and Mac users using the same file, maximizing the potential infections compared to spreading two separate versions tailored for each operating system.

The new Word macro attack arrives shortly after a number of other malware discoveries targeting Macs. In February, the MacDownloader malware took aim at the US defense industry with a fake Flash update, while another report revealed a Mac strain of Xagent, allegedly created by the same Russian hacking group accused of interfering with the 2016 U.S. presidential election.



18 Comments

MacPro 18 Years · 19845 comments

 I'm not totally clear, I assume you'd have to be running a Microsoft Office version for Mac? If so there is a simple solution for that. Or can this somehow get into macOS without running a Microsoft application such as opening a file from a Windows user on a Mac .  I reads as if this is the case. I'd love to know, I have employed many programmers I'm just not one so this is as clear as mud to me.

frac 14 Years · 480 comments

Word macros? VBA? malware?
1995 and Mac 0S9 wants its vulnerabilities back. 

Rayz2016 8 Years · 6957 comments

MacPro said:
 I'm not totally clear, I assume you'd have to be running a Microsoft Office version for Mac? If so there is a simple solution for that. Or can this somehow get into macOS without running a Microsoft application such as opening a file from a Windows user on a Mac .  I reads as if this is the case. I'd love to know, I have employed many programmers I'm just not one so this is as clear as mud to me.

Yes, they're VBA macros so you have to run MS Office to be affected. 

williamh 13 Years · 1048 comments

 This article really mischaracterizes the purpose of Metasploit. It is used to test for or confirm vulnerabilities.  Of course it can also be used for nefarious purposes just like many security tools.  Keep up the fake news.

rob53 13 Years · 3312 comments

williamh said:
 This article really mischaracterizes the purpose of Metasploit. It is used to test for or confirm vulnerabilities.  Of course it can also be used for nefarious purposes just like many security tools.  Keep up the fake news.

Not fake news. Read how the article characterizes it:

Metasploit is an open source exploit development framework that could be used to create malware and other tools to attack systems, though it also has a number of legitimate applications in computer security. 

Also check out their website, www.metasploit.com. The banner says:

World's most used penetration testing software


When I read that, even though I spent my last eight years at work in cyber security, I see it as a veiled attempt at trying to market security software that really is for generating malware or intrusion software, whether it's used for "nefarious" purposes of not. All penetration software is software created to attack systems. You can try and call it something different, and the FBI, CIA, and especially NSA do all the time, but it is still software used to disable the security of an existing system.