Malicious Word Macros Responsible for Spreading MacOS Malware

According to IT Security researchers, MacOS malware is now being spread by malicious Word macros. This is the first occasion on which MacOS malware has been recognised as having been used to spread this attack vector.

Windows users can anticipate that they are vulnerable to attack with malware, however until now Mac users have stayed relatively safe. The overwhelming majority of malware has Windows users as targets, malware attacks on Mac users, on the other hand, remain relatively uncommon. That said, MacOS malware does indeed exist and Apple devices are now the subject of attack, albeit on a proportionately small scale.

A new form of spreading infection is now being utilised. IT Security researchers have uncovered a campaign that uses malicious Word macros to infect Macs. A document entitled “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace” is used by the wrongdoers. It has been recognised for some time that Attackers often use up to date news reports to tempt victims into opening malicious email attachments.

If this document is opened, and users ignore the warnings which advise that the document contains an embedded macro, it is probable that the Mac device concerned will be infected with malware.

Prior to the malicious payload being downloaded, the macro – which is known to contain Python code – verifies whether or not the LittleSnitch security firewall is running. If not, an encrypted payload will be downloaded, it then is decrypted using a hardcoded key, and finally the payload is executed which infects the victim’s device.

The researchers have been unable to confirm the precise nature of the MacOS malware. This is because the site that was accessed in order to download the payload was not active any more. Nonetheless, the researchers did gather from the Python code that the infection would be persistent and a variety of malicious actions could be carried out, such as controlling the computer’s webcam, viewing web browsing histories, plus stealing both passwords and keychain-stored encryption keys.

In the subject case, the malware was found to be both poorly written and not very advanced, however the use of malicious Word macros to transmit MacOS malware is considerable. These attacks are rather difficult to foil as they use legitimate methods to infect the end users. It is possible to block macros, however a large number of companies use macros in Office documents for everyday tasks so it is completely impractical to permanently block macros in order to avoid malware infections.

Ultimately, end users must be trusted not to run the macros. However as has been witnessed on numerous occasions, while the majority of people recognise that macros should never be run if they are sent from unknown sources, security awareness training is often forgotten or ignored when it comes to a real-life situation.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Emma Taylor

Emma Taylor is the contributing editor of Defensorum. Emma started on Defensorum as a news writer in 2017 and was promoted to editor in 2022. Emma has written and edited several hundred articles related to IT security and has developed a deep understanding of the sector. You can follow Emma on and contact Emma at