Macros — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/macros/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 26 Jan 2024 16:25:00 +0000Malicious Word Document Targeting macOS Delivers Meterpreterhttps://feed.craftedsignal.io/briefs/2024-01-mac-word-malware/Fri, 26 Jan 2024 16:25:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-mac-word-malware/A malicious Word document targeting macOS users employs macros to download and execute a Meterpreter payload, leveraging a sandbox escape vulnerability and launch agent plist for persistence.A malicious Microsoft Word document, discovered in December 2018, specifically targets macOS users. The document, named BitcoinMagazine-Quidax_InterviewQuestions_2018.docm, contains embedded VBA macros designed to download and execute a second-stage payload. The macros leverage a previously identified sandbox escape technique, allowing the malware to bypass Microsoft Word’s intended restrictions. The ultimate goal is to establish persistence via a launch agent and execute a Meterpreter payload, granting the attacker remote access and control over the compromised macOS system. This highlights the importance of macro security settings, and the risk of running macros from untrusted sources, even if those sources appear to be benign documents.

Attack Chain

  1. The user opens the malicious Word document (BitcoinMagazine-Quidax_InterviewQuestions_2018.docm) on a macOS system.
  2. If macros are enabled, the Document_Open() subroutine is executed.
  3. The macro decodes a base64-encoded Python script, storing it in the payload variable.
  4. The macro constructs a path to a launch agent plist file: ~/Library/LaunchAgents/~$com.xpnsec.plist.
  5. The macro creates a launch agent plist file (com.xpnsec.plist) containing the decoded Python script, configured to run at load.
  6. The macro saves the launch agent plist to disk using the system command, bypassing sandbox restrictions.
  7. The Python script connects to 109.202.107.20:9622 to download the Meterpreter payload.
  8. The downloaded Meterpreter payload is executed, granting the attacker remote access to the system.

Impact

Successful exploitation allows attackers to execute arbitrary commands, exfiltrate files, and perform other malicious activities on the compromised macOS system. The attacker gains a persistent foothold, allowing them to maintain access even after the initial Word document is closed. While the number of victims is unknown, the targeting of macOS users indicates a potential interest in specific user groups or environments.

Recommendation

  • Enable Sysmon process-creation logging to activate the rules below.
  • Block connections to the C2 IP address 109.202.107.20 at the firewall.
  • Deploy the Sigma rules in this brief to your SIEM and tune for your environment.
]]>highadvisorymacoswordmacrosmeterpretersandbox escape