Windows Malware Techniques Used in Mac Malware

After targeting Windows-based computers over the past few years, hackers are now shifting their interest to Macs. As this new Mac malware detected earlier this week proved.

The Mac security researchers have detected two separate MacOS malware in this week. One of these exploits relies on an old Windows technique. A malicious Microsoft Word that is abusing macros, with title “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace,” has been sent.

The hack tricks victims into opening infected Word documents that subsequently run malicious macros. One such malicious Word file discovered by the researcher was titled “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace.docm.

However, after clicking on the malicious Word document and before running it on your system, Mac users are always prompted to enable macros.

Denying permission can save you, but if enabled ignoring warnings, the embedded macro executes a function, coded in Python, that downloads the malware payload to infect the Mac PCs, allowing hackers to monitor webcams, access browser history logs, and steal password and encryption keys


Given the fact that the code was very similar to EmPyre, this malware could very well monitor webcams, steal encryption keys and password, and access browser history logs.

While this type of attack is nowadays considered primitive, especially given the fact that Office itself advises against allowing macros to run with a clear warning about potential viruses, some Mac users were still affected

Another malicious attack discovered by researchers this week also relied on standard Windows techniques by prompting users to download and install a fake software update, but actually harvest the user Keychain, phish usernames and passwords, and other sensitive data.

The MacDownloader nasty virus presented itself as both an update for Adobe Flash and the Bitdefender Adware Removal Tool, which are always annoying and dismissed by most users.

This is what all attackers want. Once the user clicks on either reject the updates or just press yes to dismiss it once and for all, the malware gets the green signal to harvest user keychain, phish usernames and passwords, collect private and sensitive data, and then send them back to attackers.

Researchers have spotted macOS malware targeting mostly the defense industry and reported to have been used against a human rights advocate.

The best way to avoid these kinds of attacks is to just deny permission to enable macros from running when opening a suspicious Word document and avoid downloading software from third-party App Store or untrusted websites.