Skip to content
Threat Feed
high advisory

Malicious Word Document Targeting macOS Delivers Meterpreter

A malicious Word document targeting macOS users employs macros to download and execute a Meterpreter payload, leveraging a sandbox escape vulnerability and launch agent plist for persistence.

A malicious Microsoft Word document, discovered in December 2018, specifically targets macOS users. The document, named BitcoinMagazine-Quidax_InterviewQuestions_2018.docm, contains embedded VBA macros designed to download and execute a second-stage payload. The macros leverage a previously identified sandbox escape technique, allowing the malware to bypass Microsoft Word’s intended restrictions. The ultimate goal is to establish persistence via a launch agent and execute a Meterpreter payload, granting the attacker remote access and control over the compromised macOS system. This highlights the importance of macro security settings, and the risk of running macros from untrusted sources, even if those sources appear to be benign documents.

Attack Chain

  1. The user opens the malicious Word document (BitcoinMagazine-Quidax_InterviewQuestions_2018.docm) on a macOS system.
  2. If macros are enabled, the Document_Open() subroutine is executed.
  3. The macro decodes a base64-encoded Python script, storing it in the payload variable.
  4. The macro constructs a path to a launch agent plist file: ~/Library/LaunchAgents/~$com.xpnsec.plist.
  5. The macro creates a launch agent plist file (com.xpnsec.plist) containing the decoded Python script, configured to run at load.
  6. The macro saves the launch agent plist to disk using the system command, bypassing sandbox restrictions.
  7. The Python script connects to 109.202.107.20:9622 to download the Meterpreter payload.
  8. The downloaded Meterpreter payload is executed, granting the attacker remote access to the system.

Impact

Successful exploitation allows attackers to execute arbitrary commands, exfiltrate files, and perform other malicious activities on the compromised macOS system. The attacker gains a persistent foothold, allowing them to maintain access even after the initial Word document is closed. While the number of victims is unknown, the targeting of macOS users indicates a potential interest in specific user groups or environments.

Recommendation

  • Enable Sysmon process-creation logging to activate the rules below.
  • Block connections to the C2 IP address 109.202.107.20 at the firewall.
  • Deploy the Sigma rules in this brief to your SIEM and tune for your environment.

Detection coverage 2

Detect Suspicious Plist Creation via VBA Macros

high

Detects the creation of a plist file in the user's LaunchAgents directory from a Microsoft Word process, which is indicative of malware persistence.

sigma tactics: persistence techniques: T1547.001 sources: process_creation, windows

Detect Outbound Connection to Known Malicious IP from Python Script

high

Detects outbound network connections from Python scripts to a known malicious IP address.

sigma tactics: command_and_control techniques: T1071.001 sources: network_connection, windows

Detection queries are available on the platform. Get full rules →

Indicators of compromise

1

ip

1

url

TypeValue
ip109.202.107.20
urlhttp://www.apple.com/DTDs/PropertyList-1.0.dtd