Computer security experts warn of a dangerous and ongoing attack against macOS users by using a flaw described in the CVE-2019-1457 advisory. Hacking groups are abusing this flaw in order to plan and execute complex infections. This is seen as one of the more dangerous document-based exploit chains in recent time.
macOS Users Attacked Via CVE-2019-1457 Complex Exploits using Macro-infected Documents
Macro-based document attacks are one of the popular mechanisms which are widely used by computer criminals on Windows. Even though most of them use a relatively simple approach by embedding a payload downloading directly in the macros of scam files, there is now a much more complex method which has been detected.
The CVE-2019-1457 advisory shows how the popular attack approach is carried out in most cases. This is a bug found in Microsoft Office versions which is alternatively known as the Microsoft Office Excel Security Feature Bypass — by inserting it in the target files. It is confirmed that that this works with version 2016 and 2019 on macOS. The hackers will create target user data and insert the malicious macros in them. Usually they will be programmed to include some kind of a payload carrier for a certain malware.
Using advanced hacker tactics and macros created in this sophisticated way analysts discovered that it is possible to abuse the Office app’s sandbox profile which overrides the program’s security. As a result the malware creators can create a file anywhere on the target file system. As a result the macro-infected documents created in this way can be used to launch complex local-based malware with the necessary steps that will bypass the operating system’s security. As a result the following actions can be executed while installing any kind of malware payload:
- Security Features Bypass — The commands which can be inserted in the hosted code can be used to bypass the security applications and services which can be part of the operating system. This includes anti-virus clients, firewalls, intrusion detection systems and virtual machine hosts.
- System Configuration Changes — The virus code can reprogram the system which may lead to Windows Registry values modifications or system boot configuration changes. The users will experience performance issues when running certain functions, data loss or even the removal of sensitive user files. In many cases the carried payload may be configured in order to start automatically when the computer is powered on. It may also deny access to certain recovery options.
- Files Changes — In many cases through these documents the hackers can program the underlying office program to create new files or edit the contents of existing ones.
Using this approach many of the viruses across all popular categories can be delivered. Especially dangerous are the Trojan horse client infections which are used to take over control of the hosts. More and more macOS ransomware are also being pushed using this method. These are file encrypting viruses which are designed to process user files and then extort the victims for a cryptocurrency payment.