Old Windows Malware Techniques Used in New Mac Malware

Just because Macs are not victims of malware that often, doesn’t mean they are completely safe. As this new Mac malware detected earlier this week proved.

The Mac security researchers have detected two separate MacOS malware in this week. One of these exploits relies on an old Windows technique. A malicious Microsoft Word that is abusing macros, with title “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace,” has been sent.

Patrick Wardle, director of security firm Synack noted that, when Mac users opened the received document in a Word application configured in order to allow macros and ignore warnings, the embedded macro has automatically checked that the LittleSnitch security firewall wasn’t running.

It then downloads a payload which is encrypted, decryptable using a hard-coded key and then executed the payload. It seems that code in macro was taken from one of the open-source exploit frameworks for Macs called EmPyre. By the time the document was tracked by the specialists, the site payload was downloaded from was no longer serving that, so it is impossible to tell exactly what it has been doing.

Given the fact that the code was very similar to EmPyre, this malware could very well monitor webcams, steal encryption keys and password, and access browser history logs.

While this type of attack is nowadays considered primitive, especially given the fact that Office itself advises against allowing macros to run with a clear warning about potential viruses, some Mac users were still affected.

The other malware instance discovered this week also relied on classic Windows tactics by faking a regular software update dialog that downloads malicious code rather than the app’s needed update. The MacDownloader virus presented itself as an Adobe Flash Player update, which everyone knows are annoying. This is what attackers were counting on, of course, as people either dismiss the updates or just press yes to get them dismissed once and for all.

Related posts

ANY.RUN Discovers Tricky Phishing Attack Using Fake CAPTCHA

Kia Dealer Portal Vulnerability Risked Millions of Cars

Latest Octo Malware Variant Mimics Popular Apps Like NordVPN, Chrome