A new form of Microsoft Word macro-based malware has been discovered by cyber security researchers. This malware can affect both Windows and MacOS systems but follows different methods of attack for each operating system.
The malicious macro is built-up on VBA (Visual Basic for Applications) code and contains instructions to automatically execute when the file is opened. This VBA code is based on an existing Metasploit framework, and the cyber criminals seem to have modified it so that it initially detects the operating system and then executes the attack.
Considering security reasons that macros could contain malicious code, many enterprises and users disable macros. In this attack, the malicious MS Word file contains an image that states “This document is protected” and further instructions that previewing online was not available for protected documents. Further, it instructs the user to “Enable Editing” and “Enable Content” in the yellow Security Warning bar. The content looks convincing enough to dupe common users to enable Macros.
And once Macros have been enabled, the malicious code gets executed triggering the auto open function. The VBA code reads and decodes the base64-encoded comments value of the word file. Now sensing the type of OS – Windows or MacOS – the code takes different routes.
The Attack in Windows
In Windows, execution of code initiates powershell.exe in a hidden form and the base64-encoded code gets executed. This script decompresses zipped code to get, decompress and execute another powershell code. This code now downloads a 64-bit DLL file from a server, and this DLL has the capability to communicate with this server.
The Attack in MacOS
As Python is pre-installed in MacOS, this attack executes a base64-decoded python script which downloads another python script from a suspicious location. This script is part of a Metasploit framework and is a customized Python meterpreter file. Execution of the script connects to the attacker’s server.
The above exploit plays on duping users into allowing macros to run on MS Word application. A robust Malware prevention program that depends on default-deny approach, real-time process monitoring, and behavioral analysis would be the right defense against such exploits. As this exploit may be successful against Mac systems, users must install effective MAC security software that monitors all processes in real-time for suspicious behavior.