A form of Word macro-based malware has been uncovered that can affect both macOS and Windows users when executed, with the malicious file modifying its attack method depending on which operating system it detects it is being run within.
The Word file, discovered on March 16 by FortiGuard Labs, contains a macro using Visual Basic for Applications (VBA) code, which runs automatically once the file is opened. In the event the user has disabled macros in Microsoft Office, or is previewing it online, the file contains an image that tries to convince the user to download the document and enable macros.
When executed, the macro reads and decodes base 64-encoded data stored in the file's "comments" property. This code turns out to be a python script that attempts to detect the operating system the file is opened inside, running one of two different functions depending on if the host system is running macOS or Windows.
Researchers Xiaopeng Xhang and Chris Navarrete note this VBA code is a slightly modified version of an existing Metasploit framework. Metasploit is an open source exploit development framework that could be used to create malware and other tools to attack systems, though it also has a number of legitimate applications in computer security.
If macOS is detected, another python script is run which again extracts code from a base64-encoded string, which then downloads and executes a file from a specific URL. The downloaded "meterpreter" file is another python script, again modified from the Metasploit framework, used as a dynamically extensible payload that can run commands provided by a server.
The payload is shown to connect to a host through port 443, in order to get more commands or to download more payload files. The researchers note that attempts to connect to the server failed, with it failing to answer client requests, though the python process used to establish the connection to the server continues trying to get a response despite the failure, persisting in the hope it can reach the server at a later time.
Malware code used to run specific functions based on the detected operating system
In the event the macro runs in Windows, a similar function is called just for that operating system, this time using base 64-encoded code to run PowerShell, which is then used to decompress and execute another PowerShell script. This latter script downloads a 64-bit DLL file, which is then used to try and communicate with a server for extra instructions.
While in both cases the malware doesn't directly harm or leak any data, infected systems are left in a state awaiting further instruction from an online server. If left unchecked, this could result in more malicious code being downloaded that could cause more damage to a user's data, such as by installing ransomware or accessing the user's Keychain, or even use the infected system for other nefarious purposes.
Word macros are well known as a possible attack vector for malware, with the relatively old technique largely used to infect Windows users. In February, researchers discovered a version of macro malware that took aim at macOS, using a similar method of downloading a malicious payload from a server, though again the payload itself was not available to view at the time of discovery.
This latest malware appears to take the principle one step further, by attacking both Windows and Mac users using the same file, maximizing the potential infections compared to spreading two separate versions tailored for each operating system.
The new Word macro attack arrives shortly after a number of other malware discoveries targeting Macs. In February, the MacDownloader malware took aim at the US defense industry with a fake Flash update, while another report revealed a Mac strain of Xagent, allegedly created by the same Russian hacking group accused of interfering with the 2016 U.S. presidential election.