Microsoft Office macros have long been a crude but effective tool in the hands of hackers: Trick someone into opening an attachment and clicking "allow" to enable macros, and a simple Word document can run a script of commands that serves as the first step toward taking over their device. While that macro trick has increasingly been used to target Microsoft Office on macOS, one Mac hacker sought out a stealthier and more reliable method of exploiting it. He found one in an obscure, 30-year-old file format.
At the Black Hat security conference today, former NSA hacker Patrick Wardle plans to detail that technique, which exploits a series of vulnerabilities in both Microsoft Office and macOS to gain full access to the target Mac. One of those bugs relates to how Excel handles a certain, largely outdated file type called Symbolic Link. SYLK hasn't been in common use since the 1980s, but it provided a link in the chain that fully bypassed Microsoft Office's security restrictions on macros. Combined with other vulnerabilities in macOS, Wardle's technique—which Apple patched after he alerted the company to it earlier this year—would have allowed a hacker to take over a target computer with no warning when their target merely clicked on a malicious attachment.
"The system is fully owned and infected," says Wardle, principal security researcher at Apple-focused security firm Jamf and the author of the forthcoming The Art of Mac Malware. "And there’s no sign the attack is occurring."
Wardle says he first became curious about Mac-targeted macro attacks around 2017, when security firms began to warn about their use against Apple customers rather than the typical Windows victims. More Mac-targeted macro attacks surfaced in 2018 and 2019, including Kaspersky's discovery in 2019 that North Korean hackers were apparently using macros to steal cryptocurrency from Mac users. As Macs became more prevalent in the workplace, so did the threat from macro-based attacks.
"We were seeing interest from hacker groups. So I wondered, could things be worse? Is this something we should be paying more attention to, or are these lame attacks?" Wardle says. So he decided to see if he could develop a more powerful Mac-targeted macro attack, one that wouldn't require the victim to click "allow" and that wouldn't be confined to the so-called sandbox that limits an application's access to the rest of the computer, preventing it from stealing files or installing persistent malware. "Working at the NSA corrupted my mind and filled it with evil ideas," Wardle says. "I basically wanted to come up with a macro-based attack that I wouldn’t be embarrassed to use against a target."
In October of last year, Wardle saw that Dutch researchers Stan Hegt and Pieter Ceelen revealed an intriguing bug in Microsoft Office. Excel failed to warn the user before running any macro contained in a file in the SYLK file format, an almost-forgotten file type but one with which Microsoft Office had maintained compatibility. The trick worked by default in a 2011 version of Microsoft Office, bypassing any macro warning. But it also worked, ironically, in more recent versions when a user or an administrator had set the program to its most secure configuration. When Excel was set to disable all macros with no notice to the user, it instead ran SYLK file macros automatically.
The vulnerability, Hegt explains, stems from Microsoft's use of entirely different code to manage the old SYLK files than the code used to handle more recent file formats. "There are two different macro engines in one product, and that’s a very interesting starting place for research," Hegt says.
The Dutch researchers warned Microsoft about the vulnerability, but the company didn't issue a patch, in part because a hacker that used it would still be stranded in Microsoft Office's sandbox. But it took Wardle only two days of work, he says, to chain together a series of tricks to break out of Microsoft Office's quarantine and into the rest of the computer.
That chain began with another known but unfixed bug that allowed Wardle to use an API to plant a file outside of the sandbox if it had the characters "~$" at the beginning of the file name. He thought of using that bug to add a login item that automatically runs when a user logs in. But macOS has a "notarization" security measure that only runs login items approved by Apple, stymying that route. Instead, Wardle found that he could circumvent that safeguard by packaging the file as a compressed zip file. That meant that Unarchiver, a notarized app, would run automatically and unpack the file, which in turn would install a launch agent that executes the next time the computer reboots. That launch agent then uses the command-line tool Bash to install and run any malware of Wardle's choosing.
Altogether, that means that an unwitting victim only needs to open a malicious attachment once. After they later reboot or logout from their account on their Mac two times, the malware takes full control of their machine. "It does require the user to log in twice," Wardle says. "But I can wait around for that."
Wardle warned both Microsoft and Apple about his hacking technique in November, and Apple issued a patch for it earlier this year in MacOS 10.15.3, though neither company has quite made clear which parts of Wardle's chain of vulnerabilities have been fixed and which remain. Microsoft, for instance, has neutered the SYLK file format bug in Microsoft Office but implied in a statement to WIRED that macros can still be used to break out of Office's sandbox on macOS. “We have investigated and determined that any application, even when sandboxed, is vulnerable to misuse of these APIs," a Microsoft spokesperson wrote. "We are in regular discussion with Apple to identify solutions to these issues and support as needed.” Apple didn't respond to WIRED's request for comment.
But Wardle argues that his research should serve as an example of how broad the "attack surface" of Microsoft Office is—especially the less-examined version for Macs—and predicts that there will be more Mac-targeted macro attacks to come. "I was surprised how easy it was," he says. "I do have experience doing this, but it would be arrogant for me to think that well-resourced hacker groups aren’t looking at this and don’t have similar talents, if not more so. It's a very broad attack vector. Sufficiently resourced and clever hackers will find ways to gain access and persist on Mac systems."
"The fact that he’s now built a full exploit chain definitely proves a point," says Dutch hacker Hegt of Wardle's work. He argues that bugs like the SYLK vulnerability that enabled a supercharged macOS macro attack haven't all been fixed. "I'm pretty sure if you dig deep in Office, especially on Macs, there’s more shit to discover there."
- There’s no such thing as family secrets in the age of 23andMe
- My friend was struck by ALS. To fight back, he built a movement
- How Taiwan’s unlikely digital minister hacked the pandemic
- Linkin Park T-shirts are all the rage in China
- How two-factor authentication keeps your accounts safe
- 🎙️ Listen to Get WIRED, our new podcast about how the future is realized. Catch the latest episodes and subscribe to the 📩 newsletter to keep up with all our shows
- 🏃🏽♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones
