New Mac Malware Reported: a Malicious Word Doc and a Fake Software Update

Researchers have found instances of Mac exploits through malicious Microsoft Word documents that abuse macros, and fake software updates that download malicious code. While a boobytrapped Word document is found to be infecting Mac machines, a first such instance to be reported, and a fake software update of Adobe Flash Player is also doing the rounds.

Word document-based malware is something that is commonly seen infecting Windows machines, but has been spotted to infect Macs for the first time in the real-world scenario. Ars Technica reports that the attack was spotted in a Word file titled, "U.S. Allies and Rivals Digest Trump's Victory - Carnegie Endowment for International Peace."

Unknowingly, if a Mac user opens this document, it will download and execute an encrypted payload without any warning to the user. The researchers were unable to understand what this attack actually did, but because it was copied precisely from EmPyre, it is presumed that it could "monitor webcams, steal passwords and encryption keys stored in the keychain, and accessing browsing histories."

Director of research at security firm Synack, Patrick Wardle, analysed the document and published his analysis. He wrote, "By using macros in Word documents, they are exploiting the weakest link; humans! And moreover since macros are 'legitimate' functionality (vs. say a memory corruption vulnerability) the malware's infection vector doesn't have to worry about crashing the system nor being 'patched' out."

However, Wardle said that overall the malware isn't particularly advanced as it relies on user interaction, as well as need macros to be enabled. However, even though this particular malware was poorly written and macOS malware has yet to catch up to its Windows counterparts, Ars Technica notes that the gap is steadily closing. We recommend you to never let unknown Word Docs run macros.

The other malware found attacking Mac machines earlier this week, was a MacDownloader virus posing as an Adobe Flash Player update. This is again a tactic found in many Windows exploits, where a fake software update of an app pops-up, but when you hit update, malicious code gets downloaded. This is more sophisticated than Word malware, and it potentially puts your usernames, passwords, and other sensitive data at risk. Users are of course, cautioned to not click random update links, and only rely on system tools or official sites for updates. However, if it's a Flash update, we'd recommend you to uninstall the app instead.