Security researchers have discovered a dangerous new threat – a rare instance of a Macro Mac OS X malware which infects targets via documents.
A Rare Instance, A Macro OS X Malware Has Been Identified
A dangerous new type of viruses have emerged, this type targeting the second most popular desktop operating system. Security researchers discovered a new Macro Mac OS X malware which functions similar to the popular Windows-based viruses that also use this strategy.
The virus is apparently made by an unknown hacker collective that hosts its resolve IP addresses from Russia. The malware itself is contained in infected Word documents and the dangerous macro runs only on the Mac OS X platform. The instance was detected in an email spam campaign that used the subject line ““U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace.docm“. When a target attempts to open the attached document they are present with a dialogue box that instructs them that the macros need to be activated to correctly display the contents. If the victims are running the Mac OS X operating system then the included payload infects the local system. The malware can be acquired by downloading infected Adobe Flash installers located on various hacked or malicious sites as well.
The document triggers a dangerous malware download which can be modified by the operators. The malware bypasses Apple’s Gatekeeper protection which blocks any unsigned code from executing on the machine as the user grants access when they allow the virus to run.
When the virus is activated onto the host system, a built-in script decodes the downloaded payload data and executed it via a Python interpreter taken from the open-source project EmPyre. This initiates the second stage of the infection which downloads a persistent Mac OS X backdoor. The virus contains advanced features that allows the hackers to issue the following commands:
-
Browser History Acquisition.
-
Webcam manipulation and recording.
-
Logging of keystrokes and mouse movement.
-
Password hashes extraction.
-
System Information Extraction.
Once the malware is active on the host system it generates fake system logix boxes which attempt to steal account credentials from the victims. It also generates a counterfeit Adobe Flash Player dialog box which announces that an adware infection is active on the computer and that the system will attempt to remove any virus traces.
The initial security analysis shows that its operators might be related to a hacker collective from Iran. The current version of the virus contains a lot of errors and is not rated as an extremely dangerous one. However any future versions can prove to be quite malicious if development continues.