Mac backdoor Trojan embedded inside boobytrapped Word documents

Filed Under: Apple, Featured, Malware, Vulnerability

Apple store. Image credit: pcruciatti / Shutterstock.comThe folks at AlienVault discovered an interesting new Mac malware attack this week.

A backdoor Trojan horse, which would allow a remote hacker to access your Mac computer without your knowledge and potentially snoop on your files and activity, has been discovered hidden inside a boobytrapped Word document.

The targeted attack relies upon a critical security vulnerability discovered in Microsoft Word back in 2009, which allowed remote code execution (MS09-027).

In a nutshell, if you open the boobytrapped Word document, a Trojan horse gets dropped onto your Mac opening a backdoor for remote hackers. Furthermore, a decoy document called file.doc is also dumped onto your drive.

Dropped decoy Word document

The nature of the decoy document, which claims to be about Human Rights abuses in Tibet by the Chinese, is sure to raise some eyebrows.

Inevitably there will be speculation that this attack is related to 'Ghostnet', the alleged campaign by China to spy via the internet on pro-Tibet organisations, including the Tibetan government-in-exile and the private office of the Dalai Lama.

If that's the case, then it would seem that 'Ghostnet' is now targeting Mac users inside organisations sympathetic to Tibet and banned Chinese groups.

And don't be fooled into thinking that you are protected by Mac OS X itself, which will ask for an administrator's username and password to install software. You won't see any prompt for credentials when this malware installs, as it is a userland Trojan.

Neither the /tmp/ nor /$HOME/Library/LaunchAgents folders on Mac OS X require root privileges - meaning that software applications can run in userland with no difficulties, and even open up network sockets to transfer data.

Mac malware hex dump

Sophos anti-virus products detect the malformed Word documents as Troj/DocOSXDr-A and the Mac backdoor Trojan horse as OSX/Bckdr-RLG. The servers that the malware attempts to communicate with have been categorised by Sophos as malware repositories since at least 2009.

Once again, Mac users need to remember to not be complacent about the security of their computers. Although there is much less malware for Mac than there is for Windows, that is going to be no compensation if you happen to be targeted by an attack like this.

If you're not already doing so, run anti-virus software on your Macs. If you're a home user, there really is no excuse at all as we offer a free anti-virus for Mac consumers.

Image credit: pcruciatti / Shutterstock.com

, , , , ,

You might like

11 Responses to Mac backdoor Trojan embedded inside boobytrapped Word documents

  1. Sizzle · 944 days ago

    Macs aren't secure, when a Microshaft product is installed.....
    It's a little bit ironic, don't you think?
    It's like rain, on your wedding day....
    It's a free ride, when you're already there....

    You get the idea...

  2. I DO use your software on my MAC.....one of the first things I got, actually. SO, tell me....does your software BLOCK this? I wouldn't open an email on human rights violations anyhow, because I always feel these COULD contain things like this, but I'd like to know IF your software blocks the ones you know about.......I ask b/c I've never had a warning bubble at all...... Not that I'm complaining, necessarily....

  3. Joyce Houghton · 944 days ago

    I actually saw your anti virus software at work on my Mac, so I'm quite satisfied that I had the sense to install it. Thank you.

  4. Geode · 944 days ago

    The Macs at our office use MS Office 2004. The program has the AutoUpdate feature and new "security" updates are pushed from MS servers about once every six months, sometimes more frequently. (One big pain of installing Office is having to then upload about 15, eight years' worth of updates after the initial installation!)

    So are you saying that MS hasn't patched this vulnerability in all that time? Seems pretty negligent...

    • briavael · 943 days ago

      Looking at the linked MS09-027 bulletin, it appears that Microsoft patched this vulnerability in the 11.5.5 update for Office 2004 and 12.1.9 for Office 2008 (both updates published way back in June 2009). So as long as you keep up with your AutoUpdates you're covered.

      It's good that Sophos is alerting people to the new Trojan but it's a bit misleading considering that this is not a newly discovered Office vulnerability.

  5. Jim · 943 days ago

    If you open this file in iWorks, will the Trojan execute?

  6. Dejan · 942 days ago

    Intego says:

    "These Word documents exploit a Word vulnerability that was corrected in June, 2009, but also take advantage of the fact that many users don’t update such software. Word 2004 and 2008 are vulnerable, but the latest version, Word 2011 is not. Also, this vulnerability only works with .doc files, and not the newer .docx format".

  7. There are so many AV availble for MAC too.

  8. who cares · 939 days ago

    which is why I use and will always use NOTEPAD

  9. Chris Francis · 937 days ago

    I have been running Sophos for two years on my aging G4's and two weeks ago Sophos found a trojan on one of them and killed it.

    Good for you guys and take note out there all Mac users.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.