Infecting Macs with malware often requires cybercriminals to get a bit more crafty, which is why they’re now using a novel approach to infect Apple’s computers with a malware strain previously used to target Windows PCs.
As reported by The Hacker News and discovered by security researchers at Trend Micro, the Dridex banking malware is currently being used to target devices running macOS. However, what sets this campaign apart is the fact that the cybercriminals behind it have figured out a way “to deliver documents with malicious macros to users without having to pretend to be invoices” according to a new report.
Dridex is an information stealer malware attributed to the cybercriminal group Evil Corp that is used to harvest sensitive data from infected machines, but it can also execute malicious modules. In the past, it has been used to target Windows PCs through macro-enabled Microsoft Excel spreadsheets distributed via phishing emails.
Now that Microsoft has blocked macros by default in its office software, the cybercriminals behind this latest campaign have come up with a clever way to enable them on macOS.
Adding malicious macros to existing documents
The Dridex malware sample that Trend Micro analyzed arrives as a Mach-O file, which is a type of executable used by both macOS and iOS. First discovered back in 2019 and submitted to VirusTotal, 67 more artifacts based on it have been detected in the wild including some as recently as December of last year.
The Mach-O file has a malicious document embedded inside it that was detected all the way back in 2015. However, it incorporates an Auto-Open macro that runs automatically once the document is opened.
If a Mac user downloads the file and opens it, the malicious code within the Mach-O executable overwrites all of the Microsoft Word files in their user directory in macOS. According to Trend Micro, this makes it “more difficult for the user to determine whether the file is malicious since it doesn’t come from an external source”.
From here, the macros in a user’s documents that have been overwritten contact a remote server to download additional files including a Windows executable file (.exe) that can’t even run on macOS. The Dridex malware is also downloaded onto the compromised Mac.
How to stay safe from Mac malware
In this case, the malware itself can’t infect targeted Macs since it’s contained within an executable Windows file. However, if a user downloads the Mach-O file and has their own files overwritten with malicious ones, then tries to share them online, they could unwittingly infect their family, friends and coworkers with malware.
Although Apple includes a built-in malware scanner called Gatekeeper and its own XProtect antivirus software with every Mac it sells, you might want to consider picking up one of the best Mac antivirus software solutions for your devices for additional protection.
Macs have historically been safer than Windows PCs, which absolutely need the best antivirus software, but as Apple’s computers have become more popular in recent years, cybercriminals have been devising new ways to target Macs. This is why you need to be careful when downloading new files online, clicking on links in emails and messages or opening attachments from unknown senders.
For now at least, Macs are safe from the Dridex malware — but the cybercriminals behind this campaign could come up with a way to modify it so that it is compatible with macOS.