June 17, 2021

New Mac Malware uses Office Documents to Exploit OS X

(LiveHacking.Com) – Alien Vault Labs have recently found some OS X malware which uses an already fixed vulnerability in Microsoft Office for Mac to infect Apple PCs with command-and-control malware. The vulnerability exploited by the malware was patched in June 2009 and affected all versions of Mac Office 2004 version 11.5.4 or earlier, Mac Office 2008 version 12.1.8 or earlier, and OpenXML Converter 1.0.2 or earlier. The malware, which will only infect unpatched systems, is the first recorded malware for OS X that attempts to use Office documents as a means of infection.

For a system to be infected a user needs to open a specially crafted Word document in an unpatched version of Word for Mac. The document then causes a script to save the malware to the hard disk. The malware is then run to complete the infection. Once installed the malware tries to make contact with a command-and-control server in China. The server sends instructions to the Mac giving the attacker remote control and allow them to install programs; view, change, or delete data; or create new accounts. By running Word from standard account (which the majority of Mac user do), the control that the remote attackers have over the system is limited.


The good news is that the malware is easy enough to remove by running the following commands in the OS X Terminal:

sudo rm /Applications/Automator.app/Contents/MacOS/DockLight
sudo rm /Library/launchd

As always, it is best to keep your Mac up to date via the automatic software updates supplied by Apple and by any third parties like Microsoft.