A FRESH OUTBREAK OF MALWARE THAT AFFECTS THE MAC operating system via a foul Word document could ruin your day.
We know. "Oh no… not macOS". This is terrible news, and we know that some people will take it badly. Our sympathies are with you and we hope that you can find the strength to bounce back.
The good news is you would have to be crackers to open the file if you were sent it unsolicited. It doesn't promise free movies, software or boobies and is actually about President Trump.
The document is called "U.S. Allies and Rivals Digest Trump's Victory - Carnegie Endowment for International Peace". If you were to try and open it you would be greeted with a pop-up note that says that you need to enable a macro to open it.
Patrick Wardle, writing on the Objective See blog, said that opening the document is a bad idea: "Attempting to open the document in Word (within an isolated macOS VM) triggers an expected 'this document contains macros' warning," he said.
Persisting here launches the macro and sets a number of scripts running. Wardle found that the macro runs Python script and checks to see if the LittleSnitch network monitoring tool is running. Following this, another script is downloaded, cadged from the open-source EmPyre project, from an IP in Russia.
"EmPyre is a "pure Python post-exploitation agent built on cryptologically-secure communications and a flexible architecture." Ok, so the attackers are using an open-source multi-stage post-exploitation agent. Hooray for code reuse I guess?," said Wardle.
"The persistent component of EmPyre can also be configured to run a wide range of EmPyre modules. These modules allow the attacker to perform a myriad of nefarious actions such as enabling the webcam, dumping the keychain, and accessing a user's browser history. "
Wardle added in a coda that the malware isn't very advanced, and is easily avoided by not enabling macros and not opening the Word doc. Smashing stuff. µ
The botnet-making malware employs a suite of anti-detection techniques
Accused claims that Tesla has been using dangerously damaged batteries
CFO Bob Swan will take over as interim chief effective immediately
Device delayed due to overheating and software bugs, says Bloomberg