Researcher Details Advanced MacOS Attack via Office Document Macros


    A researcher discovered a approach to ship malware to macOS methods utilizing a Microsoft Workplace doc containing macro code. The sufferer merely has to open the doc and no alerts are displayed.

    Macros allow Workplace customers to automate frequent duties utilizing VBA code. A macro added to an Workplace doc could be triggered when the file is opened, a characteristic that cybercriminals began exploiting a few years in the past to execute malicious code that’s usually designed to deploy a chunk of malware.

    This is the reason Microsoft has disabled the execution of macros by default — customers need to explicitly allow macros in the event that they need to execute the code in a doc. Nevertheless, that has not discouraged menace actors, who usually depend on social engineering to trick victims into enabling macros. In response, Microsoft has launched a characteristic which ensures that the macro code is executed in a sandbox even when the person permits it to run.

    Whereas a overwhelming majority of macro-based assaults goal Home windows methods, in recent times, researchers noticed some assaults geared toward macOS customers, together with one marketing campaign that has been linked to North Korea’s Lazarus group.

    Nevertheless, Patrick Wardle, principal safety researcher at Apple gadget administration firm Jamf, identified that these assaults weren’t very subtle they usually possible had a low success price, because the focused person would explicitly need to allow macros, not one of the assaults was in a position to escape the applying sandbox even when the macro was executed, and Apple’s quarantine characteristic and notarization checks may have blocked extra payloads.

    Wardle revealed this week that he recognized a approach to make macro-based assaults in opposition to macOS methods way more environment friendly. He has described an exploit chain that bypassed all the aforementioned safety mechanisms, permitting an attacker to ship their payload with none warning — the sufferer merely needed to open the malicious doc.

    First, as a way to have the macro code mechanically executed when the sufferer opened the doc, with out having to explicitly allow macros, the researcher used a technique that was disclosed in 2018. Pieter Ceelen and Stan Hegt confirmed on the time that XML macros in SYLK recordsdata have been mechanically executed in Workplace 2011 for Mac. XML is the macro programming language used earlier than VBA and SYLK is an previous Microsoft file format designed for exchanging information between purposes.

    Final yr, an advisory revealed by CERT/CC revealed that the vulnerability nonetheless labored on more moderen variations of Workplace for Mac if the person had enabled the “Disable all macros with out notification” choice.

    “As that is probably the most ‘safe’ setting it might usually be set, particularly by safety aware customers or organizations,” Wardle defined in a weblog submit.

    Utilizing this technique would be certain that the attacker’s macro is executed with none alerts being displayed on the focused gadget. Nevertheless, the code would nonetheless run in a sandbox.

    A sandbox escape that might be helpful on this assault was disclosed in 2018 by researcher Adam Chester. His technique was patched on the time by Microsoft, however Wardle just lately discovered a approach to bypass the repair, which might be certain that the malicious code is run outdoors the sandbox on the following login.

    All that’s left now’s to bypass Apple’s notarization checks, which stop code downloaded from the web from executing. Notarizing a chunk of software program is an automatic course of wherein Apple’s notary service scans the software program for malicious code. Wardle overcame this hurdle by abusing the Archive Utility app in macOS.

    Malware delivered to macOS via Office macros

    He demonstrated the exploit chain by spawning a reverse shell, which he used to ship the OSX.WindTail backdoor.

    The researcher notified Apple about his findings and the corporate silently patched the vulnerabilities with the discharge of macOS 10.15.3. The corporate later edited its advisory to credit score Wardle, but it surely didn’t assign a CVE identifier.

    Wardle is an knowledgeable in Mac safety and his analysis initiatives over the previous years have led to the invention of some attention-grabbing vulnerabilities. This week he introduced a brand new e-book sequence, The Artwork of Mac Malware, which could be learn without spending a dime on-line.

    Associated: Repurposing Mac Malware Not Tough, Researcher Exhibits

    Associated: Hackers Can Bypass macOS Safety Options With Artificial Clicks

    view counter

    Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He labored as a highschool IT instructor for 2 years earlier than beginning a profession in journalism as Softpedia’s safety information reporter. Eduard holds a bachelor’s diploma in industrial informatics and a grasp’s diploma in laptop strategies utilized in electrical engineering.

    Earlier Columns by Eduard Kovacs:

    Recent Articles

    More attackers using Exploits from Zero Day

    A examine this 12 months by FireEye has discovered that extra attackers used zero day exploits of their cyber assaults in 2019 than in...

    Windows 10 Build 20211 allows you to access Windows and WSL 2 Linux file systems.

      Dev Channel Insiders are in for a deal with this week. Home windows 10 Construct 20211 introduces numerous new options, together with including Search...

    Arch Linux Based Distribution from A Beginner

      If you’re in search of an Arch-based newbie’s Linux distribution and simpler to make use of and set up, gives all attainable desktop environments...

    Zerologon: How Bitdefender protects consumers from this Post-Exploit No-Credential Technique

      Zerologon is a zero-credential vulnerability that exploits Home windows Netlogon to permit adversaries entry to the Lively Listing area controllers, first reported in August...

    Hackers gather intelligence on potential opponents of the regime in Iran

      Iranian Group Discovered Spying on Dissidents An Iran linked group, named Rampant Kitten by researchers, has been found focusing on anti-regime organizations in a marketing...

    Related Stories