Researcher Finds New Office Macro Attacks for MacOS

  /     /     /  
Publicated : 23/11/2024   Category : security


Researcher Finds New Office Macro Attacks for MacOS


Building successful macro attacks means getting past several layers of security, but a Black Hat speaker found a way through.



Microsoft Office is no stranger to vulnerabilities and exploits. Most of those vulnerabilities led from Microsoft Office to Microsoft Windows, but its possible for an attacker to take an exploit path from Microsoft Office to macOS — a path that Patrick Wardle, principal security researcher at Jamf, discussed in his presentation on Wednesday at Black Hat USA.
Wardle began by pointing out that macros — executable code inserted into documents — have been exploited as attack vectors since at least 1999. In the last three or four years, Wardle said, more of these exploits have been aimed at macOS targets as Macs have become more attractive targets because of their increased use in business environments.
The Human Side
In most of the macro-based attacks, human intervention on the part of the victim is required at least once, and usually twice, Wardle said. First, the victim must click on an email attachment or malicious link in order to download and open the infected document. Next, in most cases macros will not run on a system by default — they must be given explicit permission to run by the user.
Most macro-based attacks have two stages, Wardle explained. In the first — the stage given explicit permission to run by the victim — code executes that checks the system status, checks for the presence of anti-malware software, and then downloads the second stage. Its the second stage payload that contains the working code of the attack, whether its skimming credentials, creating a bot, or encrypting the systems data as part of a ransomware scheme.
Out of the (Sand)box
Modern malware writers have an additional hurdle to overcome. Microsoft Office now executes all macros in a sandbox, a walled-off environment within the operating system that prevents code from gaining persistence or interacting with the system as a whole. The goal for malware writers is breaking out of the sandbox.
Wardle said that researchers
Pieter Ceelen and Stan Hegt
found ways to include SYLK files and XLM code that make macros execute whether or not theyre invoked or allowed. They still run within the sandbox. Wardle showed that its possible to create files through a macro — files that can be placed outside the macro and can be built to auto execute on system boot. That combination is the key to persistence, one of the golden tickets that attackers pursue in any campaign.
What kind of files can fit the twin bill? Wardle found that a ZIP file, dropped into the proper subdirectory, will be invoked automatically. While the latest macOS endpoint security framework should detect such a files creation, Wardle said that theres room for research here.
Asked by an audience member how he decides on which areas to pursue in his research, Wardle said that he looks at common vulnerabilities and exposures and their patches — especially patches that are very specific — and wonders whether there can be ways around them. Also, he said, he keeps abreast of research and finds that other researchers are a constant source of inspiration.
Related content
North Koreas Lazarus Group Developing Cross-Platform Malware Framework
New MacOS Ransomware Hides in Pirated Program
Apple Pays Researcher $100,000 for Critical Vulnerability
Kaspersky Researchers Find Lazarus Enhances Capabilities in AppleJeus Cryptocurrency Attack

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Researcher Finds New Office Macro Attacks for MacOS