Last week investigators faced with a deleterious Word file that cannot distinguish between two different OS platforms. The goal of this malicious document is to infect other Microsoft systems.
If you open such a document, the malicious Visual Basic for Applications will affect your system immediately. The macro continues to read a base64-encoded character string in the file, which is reliant on the operating system, and then puts in force a certain script.
The clients using Mac OS X must be really attentive, because this script contains malicious file with another script that tries to get in touch with the cracker’s server. Researchers informed that this script is a modified version of a Python file. The script, which is intended to exploit Windows is more complicated. Comparable with nested Russian doll, its base64-encoded data layer produces a powershell script whose main task is to deblock another base-64-encoded code layer. Specialists suggested that this malware spreads only on 64-bit Windows versions.
Researchers puzzled out the way of malware spreading, but they are not sure what will be their next steps. Peixue Li, senior manager of FortiGuard Service Development and Security Research said that when they dealt with the cracker’s server, either Windows or Apple gave no answer. And Wireshark just resent them a TCP error message.
Macro malware, which attacks macOS is the latest implementation. Synack researchers revealed macro malware that penetrates only into Mac devices. The malware whose IP originates in Russia, functions in the same way. After being enabled, it decrypts data and executes it in a Python. The found by Snack malware depends on a legitimate python when using OS X and Linux agent.
Fortinet’s specialists continue to analyze this problem, but Li stated that Python post-exploitation agent greatly differs from the malware explored by Synack. So, it is obvious that their common purpose is to hit both Mac and Windows OS…