Researcher Details Sophisticated macOS Attack via Office Document Macros

guest · Aug 6, 2020

Researcher Details Sophisticated macOS Attack via Office Document Macros
August 5, 2020
https://www.securityweek.com/researcher-details-sophisticated-macos-attack-office-document-macros

Macros enable Office users to automate frequent tasks using VBA code. A macro added to an Office document can be triggered when the file is opened, a feature that cybercriminals started exploiting many years ago to execute malicious code that is typically designed to deploy a piece of malware.

Wardle revealed this week that he identified a way to make macro-based attacks against macOS systems much more efficient. He has described an exploit chain that bypassed all of the aforementioned security mechanisms, allowing an attacker to deliver their payload without any warning — the victim simply had to open the malicious document.

He demonstrated the exploit chain by spawning a reverse shell, which he used to deliver the OSX.WindTail backdoor.
Click to expand...

The researcher notified Apple about his findings and the company silently patched the vulnerabilities with the release of macOS 10.15.3. The company later edited its advisory to credit Wardle, but it did not assign a CVE identifier.
Click to expand...

Objective-See (Patrick Wardle): Office Drama on macOS

infecting macOS via macro-laden documents and 0days
Conclusion
Today we discussed the “current state of affairs” in-the-wild of macro attacks targeting macOS.
….showing that while such attacks are growing in popularity, current attacks are (still) rather lame!

However, with a bit of creativity we illustrated things could be far worst! Specifically, we detailed the creation of a powerful exploit chain that began with CVE-2019-1457, leveraged a new sandbox escape and ended with a full bypass of Apple’s stringent notarization requirements. Triggered by simply opening a malicious (macro-laced) Office document, no alerts, prompts, nor other user interactions were required in order to persistently infect even a fully-patched macOS Catalina system!
Click to expand...

Rasheed187 · Aug 8, 2020

Interesting stuff, that's why it's a good idea to never get too overconfident that hackers can't hit you. From what I understood, he could exploit MS Office without the user needing to enable macro's. And he could even escape the sandbox. I would like to see more behavior blockers for the macOS.

Log in or Sign up

Researcher Details Sophisticated macOS Attack via Office Document Macros

guest Guest

Rasheed187 Registered Member

Log in or Sign up

Researcher Details Sophisticated macOS Attack via Office Document Macros

guest Guest

Rasheed187 Registered Member

Useful Searches