{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/office-for-mac/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office for Mac"],"_cs_severities":["high"],"_cs_tags":["macos","word","macros","meterpreter","sandbox escape"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eA malicious Microsoft Word document, discovered in December 2018, specifically targets macOS users. The document, named BitcoinMagazine-Quidax_InterviewQuestions_2018.docm, contains embedded VBA macros designed to download and execute a second-stage payload. The macros leverage a previously identified sandbox escape technique, allowing the malware to bypass Microsoft Word\u0026rsquo;s intended restrictions. The ultimate goal is to establish persistence via a launch agent and execute a Meterpreter payload, granting the attacker remote access and control over the compromised macOS system. This highlights the importance of macro security settings, and the risk of running macros from untrusted sources, even if those sources appear to be benign documents.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user opens the malicious Word document (BitcoinMagazine-Quidax_InterviewQuestions_2018.docm) on a macOS system.\u003c/li\u003e\n\u003cli\u003eIf macros are enabled, the \u003ccode\u003eDocument_Open()\u003c/code\u003e subroutine is executed.\u003c/li\u003e\n\u003cli\u003eThe macro decodes a base64-encoded Python script, storing it in the \u003ccode\u003epayload\u003c/code\u003e variable.\u003c/li\u003e\n\u003cli\u003eThe macro constructs a path to a launch agent plist file: \u003ccode\u003e~/Library/LaunchAgents/~$com.xpnsec.plist\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe macro creates a launch agent plist file (com.xpnsec.plist) containing the decoded Python script, configured to run at load.\u003c/li\u003e\n\u003cli\u003eThe macro saves the launch agent plist to disk using the \u003ccode\u003esystem\u003c/code\u003e command, bypassing sandbox restrictions.\u003c/li\u003e\n\u003cli\u003eThe Python script connects to 109.202.107.20:9622 to download the Meterpreter payload.\u003c/li\u003e\n\u003cli\u003eThe downloaded Meterpreter payload is executed, granting the attacker remote access to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary commands, exfiltrate files, and perform other malicious activities on the compromised macOS system.  The attacker gains a persistent foothold, allowing them to maintain access even after the initial Word document is closed. While the number of victims is unknown, the targeting of macOS users indicates a potential interest in specific user groups or environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to activate the rules below.\u003c/li\u003e\n\u003cli\u003eBlock connections to the C2 IP address \u003ccode\u003e109.202.107.20\u003c/code\u003e at the firewall.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T16:25:00Z","date_published":"2024-01-26T16:25:00Z","id":"/briefs/2024-01-mac-word-malware/","summary":"A malicious Word document targeting macOS users employs macros to download and execute a Meterpreter payload, leveraging a sandbox escape vulnerability and launch agent plist for persistence.","title":"Malicious Word Document Targeting macOS Delivers Meterpreter","url":"https://feed.craftedsignal.io/briefs/2024-01-mac-word-malware/"}],"language":"en","title":"CraftedSignal Threat Feed — Office for Mac","version":"https://jsonfeed.org/version/1.1"}