Security researchers at Fortinet have spotted a weaponized Word document that has been designed to spread malware on either Microsoft Windows or Mac OS X, it is able to determine which OS is used by the person that opens the document and start the attack.
The documents trick victims into enabling macros, then a malicious VBA code is executed.
Once the VBA code is executed, the AutoOpen() function is automatically invoked. It first reads the data from the “Comments” property of the Word file, a base64-encoded string, and depending on the OS, executes a certain script.
When executed on Mac OS X, the script downloads a malicious file containing another script, written in python, that’s executed and communicate with the control server.
“When the python script is executed, it downloads a file from “hxxps://sushi.vvlxpress.com:443/HA1QE”, and executes it. The downloaded python script is a slightly modified version of the Python meterpreter file, which is also part of the Metasploit framework.” reads the analysis published by Fortinet. “The source code of the project can be downloaded from the following URL: hxxps://github.com/rapid7/metasploit-payloads/blob/master/python/meterpreter/meterpreter.py.”
The above script is a version of a Python Meterpreter file that leverages in-memory DLL injection mechanism.
A similar technique was implemented by the criminal gang tracked as GCMAN and a group of criminals that powered a hacking campaign that leverage on fileless malware in February,
The script used to start the attack on Window systems is much more sophisticated. It implements a “matryoshka” mechanism of powershell scripts and according to the researchers it only works on 64-bit versions of Windows.
Each layer is base64-encoded, once the final level is executed, the script downloads a 64-bit DLL file, which executes and communicates with the control server.
The malware researchers at Fortinet are still analyzing the malicious code.
(Security Affairs – malware, Mac OS)