It was only a matter of time, the first attack targeting Word for Mac has been released. It’s a simple, almost primitive hack, but it’s out there so beware. There even a ‘silver lining’ of sorts.
The document is named
U.S. Allies and Rivals Digest Trump's Victory - Carnegie Endowment for International Peace.docm
but the document name could be changed.
Interestingly, it’s a .docm file. A Word document with macros is .docm while most Word documents are .docx and can’t contain working macros at all.
If you open the document, there’s a warning from Word for Mac that there are macros in the document. The default is to disable macros.
We hope everyone reading this (Windows or Mac) knows to never enable macros unless you’re absolutely sure of the source.
The document has an AutoOpen macro that runs automatically when the document is opened.
From there, the attack is quite straight-forward using known techniques that are common to both Windows and Mac.
- Runs a Python script, not VBA to do the main work
- Checks that it’s not already infected the computer with ‘LittleSnitch’
- Downloads the main virus from a web site and decrypts the download
- Runs the downloaded code to infect the Mac.
- Uses various techniques to ensure the virus persists on the Mac and runs automatically.
It’s all right out of a ‘Hackers for Mac 101’ course. For a forensic analysis check out Objective-See.com
Word for Windows?
Do NOT open it in Word for Windows … not even just for curiosity or a bet. This attack is designed for Macintosh computers but it’s not worth the risk that someone releases a similar document that’s for Windows.
The bright side?
For many years, Mac users have been safe from macro attacks because Office for Mac wasn’t popular enough. Hackers didn’t bother with Office for Mac because there weren’t enough potential targets. Hacking resources are usually focused on the most numerous ‘audience’ which is MS Office and Windows.
In a perverse way, this Word for Mac exploit is a ‘coming of age’ showing that Office for Mac is popular enough to be worth a hackers effort.
Office for Mac users can’t rely on their relative obscurity to protect them from attacks.