It has been a long time since macros have infected Windows PC’s. Now this time, it has crossed over to the Mac operating system.
In Russia, there is a cyber crime group that has a command and control infrastructure that resolves to an IP address geo-location which in turn uses a Word document spiked with malicious macro that is exclusively designed for Mac OS.
The document is said to have a very controversial or catchy subject like: “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace.docm.”
The unsuspecting user, once they have tried to open the attachment, will see a familiar dialogue box that asks them to enable macros to be able to view the document. However, if macro is enabled, the malicious macro code is unleashed and gets more malware code from the groups website.
It is one of the old technology, but is a formidable foe once it has executed. It is a legitimate functionality so it’s not going to crash like a memory corruption or overflow might, and it’s not going to be patched out.
Patrick Wardle, director of research at Synack and a number of other researchers, analyzed the behavior of the macros and payload and published a report Monday.
“It’s low tech but it’s going to have a high success rate if people fall for it,” Wardle said. “Anytime you can target users; that’s why ransomware is so successful. That’s why macros work. They’re definitely the weakest link in my opinion.”
This specific attack only works on Mac versions of Microsoft Word since their attempts to run it on Windows and Pages, a Mac-based productivity software similar to Word failed.
They were also able to avoid Apple’s Gatekeeper protection which automatically blocks unsigned code from running.
The clever thing about this is: macros will execute since they’re given permission to do so by the user.
According to Wardle, once enabled, the macro decodes data and executes it via Python from an open source project called EmPyre. EmPyre is a legitimate open source Mac and Linux post-exploitation agent often used in penetration testing engagements. The attackers embedded a first stage component of EmPyre into the Word document and its sole purpose was to call out to the command infrastructure at securitychecking[.]org[:]443/index[.]asp for the second stage. The site, however, has gone dark so the researchers cannot be sure of exactly what the second stage was, but it’s likely the remaining EmPyre components.
“I see no reason why the attackers would use just one stage and not the other, especially when the first stage expects the second stage to be encrypted with a certain RC4,” Wardle said. “It’s possible that their code once it executes in the Word document could download and execute anything, but it’s very likely they’re going to download that second piece of the EmPyre agent.”
The second stage of EmPyre, Wardle said, is a persistent Mac backdoor that allows for a number of malicious capabilities, including modules for grabbing browser history, turning on the webcam, keylogging and dumping of hashes.
“From a hacker’s point of view, there’s this great open source module out there with all these different plugins, why not just use that,” Wardle said. “I think that’s what they did.”
Nothing is known of the attackers who are behind this attack. It can be anybody that has experience with the use of macros with an open source tool probably.
As for the securitychecking[.]org, it’s been previously associated with cybercrime activities such as phishing and other malware downloads.
This may not be the most advanced and sophisticated stuff out there. However, since it works, anyone that gets randomly infected by it is in trouble. There is no rhyme or reason how it is being spread out there as of this time but adequate data about the macro attack will be released soon. Similar to malware and ransomware, it might become an epedemic if not taken care of.