Nearly a month after the discovery of the first malicious Microsoft Word document capable of infecting Apple Mac OS X computers, the Fortinet security experts captured a Word that spreads malware by executing malicious VBA code and infects both Windows OS and Mac OS X.
In early February 2017, Symantec and Synack security researchers revealed the details about a fully operational macro virus for Mac OS X. The experts found a malicious Word document containing a macro with built-in code written in Python which downloads malware to victim’s computer from attacker’s server. Since the C&C server had been already disabled before the discovery, the experts could not figure out the specific purpose of this malware atack.
On March 16, FortiGuard Labs has identified a similar malicious Word document that also contains VBA macro with a Python script. At the initial stage, the macro identifies which operating system is running on victim’s computer, and then takes a different route depending on the OS type to download a malicious python script. Regardless of the operating system, both malware scripts show the same behavior using Metasploit framework modules to communicate with the C&C server.
This is the first reported case when attackers inject malicious scripts into the same macro to attack different operating systems.
To protect yourself from malware attacks, don’t open suspicious looking emails and never download Microsoft Word attachments that come from someone you do not know, or if you were not expecting them.