Macro Malware Targets Macs
Macro malware has been spreading for years. New techniques arise all the time to hide malicious code and thus increase the difficulty of analysis. However, just targeting Microsoft Windows no longer seems to be enough for the malware authors. The Mac appears to be the new challenge, and attackers appear to be rising to this challenge.
In previous versions of macro threats, the malicious code was hidden in user forms and macros in Microsoft Office files. (See Macro Malware Associated With Dridex Finds New Ways to Hide.) The latest member of this family seems to have learned a new trick or two, as we now will see.
- The malicious code is now hidden in the properties of Excel worksheet files:
A malicious Excel file ready to be executed.
When the file is opened we see this message.
If we access the file’s properties, we can read the Powershell script code.
The full content in Properties.
Location of hidden content.
An extract of the Powershell content.
- The malicious code runs Powershell, which downloads malware after the victim enables macros.
- The macro searches for the hidden code in Properties and runs it using Powershell, but this works only on Windows systems. How does the malicious code execute on the Mac? The malware developers use MacScript:
The macro code verifies whether WScript.Shell is present. In case of an error, the code executes the module macshell:
This script runs the code on the Mac. The script runs with the same permissions as Microsoft Office.
As we ran this analysis, the control server contacted by this malware sample was not running; so we were unable obtain the payload.
The MD5 hash for the samples we found:
Full descriptions of the W97M and X97M malware families are available in our Threat Advisories:
During our analysis, the malware attempted contacted the following server (with URL modified for safety):
Intel Security advises users to keep their antimalware signatures up to date at all times. Intel Security products detect this malicious Office Trojan as X97M/Downloader.bf.