MacOS Malware Spread by Malicious Word Macros

Security researchers have discovered that MacOS malware is being spread by malicious Word macros. This is the first time that MacOS malware has been discovered to be spread using this attack vector.

Windows users can expect to be attacked with malware, but Mac users have remained relatively safe. The vast majority of malware targets Windows users, with malware attacks on Mac users still relatively rare. However, MacOS malware does exist and users of Apple devices are now being targeted, although still on a relatively small scale.

However, a new method of infection is now being used. Security researchers have identified a campaign that is using malicious Word macros to infect Macs. The campaign uses a document titled “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace.” Attackers commonly use topical news stories to lure victims into opening infected email attachments.

Should this document be opened, and users ignore the warnings displayed about the document having an embedded macro, their Mac is likely to be infected with malware.

However, before the malicious payload is downloaded, the macro – which contains Python code – checks to see if the LittleSnitch security firewall is running. If it is not, an encrypted payload is downloaded, decrypted using a hardcoded key, and the payload is then executed infecting the victim’s computer.

The researchers were not able to determine the exact nature of the MacOS malware because the site that was accessed to download the payload was no longer active. However, the researchers did notice from the Python code that infection would be persistent and a range of malicious actions could be performed, including taking control of the webcam, accessing web browsing histories, and stealing passwords and keychain-stored encryption keys.

In this case, the malware was poorly written and was not particularly advanced, but the use of malicious Word macros to spread MacOS malware is significant. These attacks are hard to prevent since they use legitimate methods to infect end users. Macros can be blocked, but many companies use macros in Office documents for day to day tasks so it is not possible to permanently block macros to prevent malware infections.

That means that end users must be relied on not to run the macros, and as we have seen on many occasions, even though most people are aware that macros should never be run if they are sent from unknown individuals, oftentimes security awareness training is ignored.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of