Rare Mac Trojan Exploits Microsoft Office for Mac

By Sara Yin: A new Mac backdoor Trojan exploits a 2009 vulnerability in Microsoft Office to break into the computers of Tibet sympathizers, though it has potential to target other OS X users.

The Trojan, first reported by AlienVault, is packaged in a Word document (.doc only, not .docx) that looks like a letter from a Tibetan leader to the United Nations Commission for Human Rights, detailing China's human rights abuses. A more vigiliant user will be alarmed by the spelling errors in the letter.

Downloading the file immediately drops a backdoor for attackers to enter, and potentially execute code, snoop on files, install programs, move data, and even create new accounts with full user rights. Although this particular backdoor is probably not widespread and appears to only target Tibetan NGOs, Intego researchers warned that malicious code discovered in these Word documents wasn't encrypted. In other words, any malware writer who can get his hands on the document can easily alter and re-distribute the documents.

"The attack will be very effective on those who have not updated their copies of Microsoft Office, or aren't running antivirus software," Intego wrote in a blog post.

Sophos's Graham Cluley suggests the latest Trojan comes from GhostNet, a Chinese cyber espionage group dating back to 2009 that spies on Tibet and its sympathizers. In 2010, Canadian researchers reported that GhostNet stole emails and documents from the Indian Defense Ministry and the Dalai Lama's office. Cluley said the malware attempts to communicate with servers used as malware repositories since 2009.

A "Userland Trojan"
To sum up what AlienVault details in its blog post, the attack is two-fold. In the first stage the
shellcode writes malicious payload on the _IMPORT section of disk. The second stage involves writing files to /tmp/ and executing bash script.

Cluley noted that neither /tmp/ nor /$HOME/Library/LaunchAgents folders in OS X require root privileges, so you won't see a prompt for credentials when the malware is installed. The Trojan is installed in the userland, the part of the system that doesn't contain critical system components. Even a "Guest" user on your Mac would be able to download the file.

"[Don't] be fooled into thinking that you are protected by Mac OS X itself, which will ask for an administrator's username and password to install software,"  Cluley wrote. "You won't see any prompt for credentials when this malware installs, as it is a userland Trojan."

The Trojan exploits MS09-027, a critical vulnerability in Microsoft Office for Mac discovered in 2009.

Users of Microsoft Office 2004 and 2008, but not 2011, should immediately upgrade their security patches or install Mac antivirus that detects the backdoor, if you haven't already. For more on Mac malware, check out The Ten most Dangerous Mac Viruses and Antivirus for Mac: It's Time.