A virus distribution mechanism involving malicious Microsoft Office macros has recently started affecting macOS machines.
Security analysts have gotten accustomed to macro-borne viruses targeting Windows – this attack vector originally surfaced in the 90s and is still in crooks’ offensive arsenal. However, it’s not until recently that the same stratagem started hitting Apple’s macOS. The novel malware distribution campaign revolves around the use of booby-trapped Microsoft Word files which, when opened, return a blank page or a message reading “This document is protected”. To be able to view the content inside, unsuspecting victims are prompted to click the “Enable Content” button on a security warning displayed at the top of the window. Once this is done, a malicious macro fires a Python script that automatically downloads affiliated malware from a remote server.
The zest of this methodology is that the infection is cross-platform. The toxic macro embedded in a Word document starts the contamination chain with determining which operating system it has landed on. Depending on the returned response, it triggers the appropriate version of the perpetrating Python code. Then, the script establishes a stealth connection with the attackers’ Command & Control server and requests the malware payload proper. This way, threat actors can execute virtually any type of malicious code behind the scenes.
The bad guys are, obviously, beginning to add universality to their malware distribution mix. The Python based macro in question is the first catalogued sample that zeroes in on both Windows and macOS. Effectively, the macro itself is identical in the two scenarios – it’s the payload downloaded from the criminals’ C2 that’s different. Regardless of the OS being targeted, email spam is the contagion medium. The most harmful type of software served in this fashion is ransomware, which encrypts victims’ data and demands hundreds of dollars for decryption. This is why Mac users, just like Windows aficionados, should now exercise extra caution with spam that contains Word attachments on board.