The major changes between the downloaded file (HA1QE) and the original file are the following:įigure 4. The source code of the project can be downloaded from the following URL: hxxps:///rapid7/metasploit-payloads/blob/master/python/meterpreter/meterpreter.py. The downloaded python script is a slightly modified version of the Python meterpreter file, which is also part of the Metasploit framework.
When the python script is executed, it downloads a file from “hxxps://:443/HA1QE”, and executes it. It is decoded below, and as you can see, it is a very clear python script. It extracts the code from a base64-encoded string, and then executes it. As you can see above, the base64-decoded python script is passed to the ExecuteForOSX function that is going to execute it at the bottom of the function (see Figure 3). This allows it to execute python scripts by default.
#Os x word macros mac os x
We have found that this malicious VBA code uses slightly modified code taken from a metasploit framework which you can find at hxxps:///rapid7/metasploit-framework/blob/master/external/source/exploits/office_word_macro/macro.vba How it Works for Apple Mac OS XĪs you probably know, Mac OS X comes with Python pre-installed by Apple. Calling different route according to OS type You can see this in the the flow chart in Figure 3.įigure 3. Next, it takes a different route depending on the OS type, Apple Mac OS X or Microsoft Windows, that it is running on. The value of the “Comments” is base64 encoded, which can be read out and decoded by the VBA code below:Īfter it’s base64-decoded, we can capture the code in plaintext, which is python script, as shown below. The first thing it does is read the data from the “Comments” property of the Word file.įigure 2. Once the malicious VBA code is executed, the AutoOpen() function is automatically called. Asks victim to enable Macro security option When the Word file is opened, it shows notifies victims to enable the Macro security option, which allows the malicious VBA code to be executed. We then analyzed the sample, and in this blog we are going to explain how it works, step by step. The sample targeted both Apple Mac OS X and Microsoft Windows systems. The best way to avoid these kinds of attacks is to just deny permission to enable macros from running when opening a suspicious Word document and avoid downloading software from third-party App Store or untrusted websites.On March 16, FortiGuard Labs captured a new Word file that spreads malware by executing malicious VBA (Visual Basic for Applications) code. Researchers have spotted macOS malware targeting mostly the defense industry and reported to have been used against a human rights advocate. Once the user clicks on either reject the updates or just press yes to dismiss it once and for all, the malware gets the green signal to harvest user keychain, phish usernames and passwords, collect private and sensitive data, and then send them back to attackers.
#Os x word macros update
The MacDownloader nasty virus presented itself as both an update for Adobe Flash and the Bitdefender Adware Removal Tool, which are always annoying and dismissed by most users.
#Os x word macros install
Another malicious attack discovered by researchers this week also relied on standard Windows techniques by prompting users to download and install a fake software update, but actually harvest the user Keychain, phish usernames and passwords, and other sensitive data.
0 kommentar(er)
