„Malware is Windows only“ is a statement I often hear when talking with less-informed Mac-users. This may have been true some years ago, but the times, they are changing: With a wider distribution and more people using Macs, this platform is on target as well.
„But my Mac is safe?“
While the market share of Macs is — by far — not comparable with those of Windows-systems, the amount of percentage of Mac desktops- and notebooks ranges around 9,4 percent which is little more than a tenth of the 87,7 percent of Windows-systems Netmarketshare shows for July. Anyway, this share alone seems to be reason enough for many people to target macOS and its users as well, wiping away the old and still-in-mind status that there is no malware, no ransomware and no real virus on a Mac. That is just not true anymore and the latest presentation of Jamf’s Principal Security Researcher Patrick Wardle during the Black Hat 2020-conference show that there are definitely some aspects Mac-users may worry-about and like on every platform, the usage of Brain 2.0 is a good tool not to get sacked by modern digital pests.
The ThiefQuest-ransomware for example has recently shown that the halo of total security on macOS can get debunked quite fast if some specific preconditions are given. Now, Wardle has shown that the well-known Macro-viruses which were often a gateway to infect Windows-systems may be a threat for macOS as well — at least in some special ways.
On Black Hat 2020 — of course held virtually this year — Wardle told about an excessive increase of macOS-specific malware. In his keynote „Office Drama on macOS“, the security researched told that the Mac is already a target due to a wider distribution and the use in the nterprise and start-ups. Windows-user, for example, already know the common threat of macro-viruses attached to mails. Suffixes like .doc or .docm (containing a macro) are — by far — not new here and while it is often recommended to switch off the macro-function in Microsoft’s Office apps if you don’t need them, the Mac was a classic stronghold until these days. In addition, there is simply no user-awareness if it comes to Microsoft-documents on the Mac as the macro- and .VBS-support is quite limited if being compared to its Windows-derivate anyway.
We’re talking about an underestimated problem at this stage and to clarify this, Wardle presented a self-developed attacking-strategy minimizing user-interventions („0-Click“) and even with bypassing macOS Catalina’s security mechanisms. Although there are is no urgent danger for updating macOS-users at the moment, it comes even clearer that the Mac is not invincible anymore. The scenario discussed should do no harm to all installations with a current patch level (meaning especially Office 2019) but shows what is possible at the end if all (evil) prerequisites have been met.
Patrick Wardle is dealing with scenarios alike for quite some time now and already discovered an in-the-wild Word-document in 2017 which carried an evil load. According the the security researcher himself, the kind of attacks used over the last years are rather „lame“ nowadays as they still warn the user before the execution of the malicious code. The use of macros needs to be confirmed somehow and the sandbox-environment Microsoft Office is running in on macOS as well as the OS’ notarization-feature preventing a possible spreading after breaking the sandbox’-boundaries may prevent those classic attacks.
To reproduce this scenario and to bypass the security mechanisms, CVE-2019–1457 is used as first step. This security flaw affecting Microsoft Office 2016 and 2019 on macOS has already been patched my Microsoft in late November 2019. To be specific, older macros in the outdated XML-style (SYLK with .slk-suffix) were automatically opened and executed even with macros being completely deactivated.
Second, the sandbox-outbreak was being accomplished with the help of a wrong regular expression in Microsoft’s sandboxing-rules for Office as security-researcher Adam Chester already blogged about in 2018. Caused on a rather faltering fix by Microsoft it was possible to deploy nearly any data from macOS’ sandbox to other parts of the Mac-filesystem.
Wardle’s macro then creates a „login item“ which is the derivate to Window’s autostart-entry. After logging in with the specific user, this item is being loaded and it is done without any relying context to the sandbox. Notarization was bypassed as well with a quite simple trick: Patrick Wardle didn’t add an executable as startup item but a simple ZIP-file so the malicious business was done at this stage. With starting, macOS archive utility unzipped the contents with — unwittingly — creating a launch agent that could, however, start a reverse shell without triggering macOS Catalina’s security mechanisms.
Not only Microsoft has released its patches in the meantime — Apple got in the line as well. Since macOS Catalina 10.15.3 released in February 2020, macOS is secured against such an attack chain. Unfortunately, Patrick Wardle neither earned a bug bounty nor had this issue any further effect in form of a new CVE-entry. The security specialist still recommends a further process- and file-monitoring as well as behavior-based malware detection to protect also Mac-users against modern threats.
Additionally, his free book „The Art of Mac Malware“ (https://taomm.org) is still a good read to see that our Macs aren’t invincible at all. Precaution and open eyes while working with any operating system should be standard and once we are unsure about a pop-up-message, rather don’t click on it and rely on Brain 2.0!