Researchers from FortiGuard Labs, part of Fortinet, have captured malware that infects both Windows and Apple OS X. The malware is distributed inside an infected Microsoft Word file. The malware asks the users to enable the Macro security option. From there it executes different code depending on which platform it is running.
How does the malware work?
In their blog describing the malware, FortiGuard researchers Xiaopeng Zhang & Chris Navarrete describe what happens on each platform. It starts with the request for Macros to be enabled. Despite attempts to tell users NOT to enable macros unless they come from a validated source, they are still a major security problem.
To get around security software, the malware hides its initial code in the Comments property of the Word file. Although the data is encrypted, the malware uses VBA to decode and run it. It is at this point it checks the operating system that is in use and then jumps to the appropriate code for that platform.
If the user has a Mac, a Python script is downloaded and executed. The researchers say this is a modified version of the Python meterpreter file also used in the Metaspolit framework. The code is publically available on GitHub and this is probably where the attackers got it from. The code will try and contact a command & control server to download more malware. That link is apparently not working at the moment but it could go live at any time.
On Windows the malware creates a DOS-style command string that executes powershell.exe in hidden mode. It then uses that to execute the code hidden in the Word document. The PowerShell script decompresses additional code which also calls a PowerShell script. The end result is that the malware downloads and executes a 64-bit DLL file. At present, the researchers say they are still trying to work out what the DLL file does.
Tracking malware campaigns
As well as a single attack targeting both Apple and Microsoft the researchers found another interesting point. Inside the code is a PAYLOAD_UUID constant. It is unique to each client. The suggestion by Zhang and Navarrete is that this is being used for campaign tracking. This is not the first time malware writers have tried to track the effectiveness of a campaign but it is still uncommon.
Conclusion
It is difficult to stop users allowing macros to run when they open Office-based documents. Macros are still heavily used inside organisations and most advanced training courses on Word and Excel feature Macros creation and use. What is required is better education and help for users to identify suspicious documents containing macros. Few companies use deactivated malware to show users what to look for. Instead, they resort to an endless stream of emails telling them not to use a technology they often rely on. Microsoft could also improve the granularity of Macro security that would enable users to specifically choose which spreadsheets to enable macros for.
This attack is interesting in that it seeks to attack multiple operating systems using the same infected document. Most malware is platform specific. If opened on another platform the code doesn’t execute providing the malware writers with a failed infection. By simply checking for the operating system the writers of this malware have increased their success rate.
It may be weeks before we get an accurate idea of exactly what the infected DLL file is designed to do. At that point we may also get a better idea of who the attackers are and their motivation.