Security researchers have spotted a type of malware that leverages malicious macros and a Donald Trump theme to target Mac users.
On 6 February, Symantec Norway senior principal security researcher came across a file on VirusTotal entitled “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace.” The file bears the same name as an article published by Carnegie, a foreign policy think tank based in Washington D.C. But by no means does it behave the same.
Former NSA hacker and founder of Objective-See examined the file and found that it is a Microsoft Word document containing malicious macros. Interestingly, the file triggers only on macOS. When a Mac user attempts to open it, Apple displays a message warning them that the document contains macros. Clicking “enable macros” causes the file to download a payload from https://www[dot]securitychecking[dot]org:443/index[dot]asp that affords the attacker continuous access to the infected host.
The malware uses throwaway domains for its command and control (C&C) server, which was operational for only a limited amount of time. Consequently, Fagerland thinks the malware is the work of government hackers. As he told Motherboard Vice:
“I really can’t point the finger at anyone for this. But there are some indicators pointing towards Russian speakers (which actually can mean many countries), and even that could be faked.”
Corroborating this position, VirusTotal scanned securitychecking[dot]org and found it resolved to 18.104.22.168, an IP address which is geolocated in Russia and associated with other malicious activities like phishing.
Wardle acknowledges the attackers used a reliable attack vector to target Mac users:
“Overall this malware sample isn’t particularly advanced. It relies on user interaction (to open a malicious document in Microsoft Word, (not Apple’s Pages)), as well as needs macros to be enabled. …[L]et’s be nice and give the attackers some credit. By using a macros in Word document they are exploiting the weakest link; humans!”
This attack highlights the need for organizations to train their employees about the dangers of macro-based malware samples and the phishing campaigns that distribute them. Companies can accomplish this aim with the help of third-party security awareness training software.