Security researcher Patrick Wardle has observed a significant increase in attacks with macOS-specific macro malware. As he explained in his lecture “Office Drama on macOS” on Wednesday at the Black Hat 2020 conference, Macs are becoming an increasingly popular target due to their increasing use – especially in the business sector, for example among young start-ups.
Don’t miss any news! With our daily newsletter you will receive all heise online news from the past 24 hours every morning.
Subscribe to the newsletter now
Attacks with prepared MS Word documents are old hat on Windows systems. Most users have internalized typical rules of conduct to protect against harmful VBA macro code, are suspicious of e-mail attachments in .doc or .docm format, and, as far as possible, refrain from activating and using macros in Office . Macros, on the other hand, is hardly an issue under macOS and users are far less aware of the potential dangers.
To clarify the risk, which he underestimated, the researcher presented a self-developed attack strategy that minimizes the required user interaction (“0-Click”) and even bypasses macOS Catalina-specific protection mechanisms. Wardles attack technology no longer poses an acute danger to well-updating users, as it should no longer work in the form described on systems with the current office and operating system version since the end of 2019. Nevertheless, it shows the basic attack options in a very clear manner.
Previous real-life scenarios as a starting point
Wardle has long been concerned with malicious Office macros targeting Macs. As early as 2017, he discovered and analyzed a Word document that was circulating in the wild at the time:
Wardle considers the attack tactics of the past few years in the current lecture to be “super lame”, since they always trigger a warning from the operating system before opening: The malicious macro code can only be executed if the user clicks on “Enable Macros” clicks. He named the macOS sandbox environment in which Microsoft Office runs and the app authentication mechanisms (notarization), which can sometimes prevent the execution of malicious code following a sandbox outbreak, as further restrictions of previous malware.
Wardle uses the method to bypass the security notification (step 1) the vulnerability CVE-2019-1457that Microsoft removed from the macOS versions of Microsoft Office 2016 and 2019 in late November 2019. The gap was that macros in the old so-called XLM format in files with .slk extension (SYLK file format) were automatically executed when they were opened – even if the macro function was deactivated.
The sandbox outbreak (step 2) is accomplished by Wardle using an incorrect regular expression in Microsoft’s sandbox rules for Office Security colleague Adam Chester described in a blog entry in 2018. Microsoft has only insufficiently fixed it. Thanks to this error, it was possible to create files from the sandbox in (almost) any storage location.
Wardle’s macro code creates a “Login Item” (or “Startup Item”), which is executed automatically when the user logs in – and now outside the context of the sandbox. Wardle solved the remaining problem with the “notarization” and the quarantine mechanism quite creatively: Instead of an executable, he placed a ZIP file as a login item.
When the Archive Utility started, it was unpacked as a “default handler” and created a launch agent that could now start a reverse shell without triggering Catalina’s security mechanisms.
Apple: Fixes, but no CVE
After Microsoft, Apple has now also improved: Since version 10.15.3 from February 2020, Catalina has been protected against the chain of attack created by Wardle. However, the researcher did not receive a bug bounty, and a CVE number was not assigned.
Wardle recommends process and file monitoring as well as behavior-based malware detection to protect against macro malware – as well as reading his Free Book “The Art Of Mac Malware”.