"Overall this malware sample isn't particularly advanced. Wardle also discovered that the server from where the Word macro script downloaded the second-stage payload was located in Russia, on an IP address previously associated with other malware campaigns.
Nevertheless, Wardle did identify the commands in the first-stage payload as snippets taken from EmPyre, a post-exploitation OS X/Linux agent written in Python 2.7.Ĭommon sense says that the second-stage payload must have also borrowed some tricks from EmPyre, which includes modules for dumping the Apple keychain (password store), spying via the webcam, and stealing browser history files. Downloads another payload from a remote server ()īecause the remote server was down when Wardle analyzed the macro script, he never got to verify the true capabilities and purpose of the second-stage payload.Check if a Mac security app called LittleSnitch was running.Wardle, who extracted the macro script and analyzed it, says the macro contained a chunk of base64 data, which it extracted and executed as Python commands.Īfter a closer look at these commands, Wardle says the script would go through four stages:
#Remove malware in word for mac macro code
Office macro warning on macOS (via Pattrick Wardle)Īllowing the macro scripts to execute when opening the Word file would result in an immediate infection, as the malicious code contained within was set to execute under an auto-open function.
0 kommentar(er)
