Abstract:
In the world of Windows, macro-based Office attacks are well understood (and frankly are rather old news). However on macOS though such attacks are growing in popularity and are quite en vogue, they have received far less attention from the research and security community.
In this talk, we will begin by analyzing recent macro-laden documents targeting Apple’s desktop OS, highlighting the macOS-specific exploit code and payloads. Though sophisticated APT groups are behind several of these attacks, these malicious documents and their payloads remain severely constrained by recent application and OS-level security mechanisms.
However, things could be far worse! Here, we’ll detail the creation of a powerful exploit chain that began with CVE-2019-1457, leveraged a new sandbox escape and ended with a full bypass of Apple’s stringent notarization requirements. Triggered by simply opening a malicious (macro-laced) Office document, no alerts, prompts, nor other user interactions were required in order to persistently infect even a fully-patched macOS Catalina system!
To conclude, we’ll explore Apple’s new Endpoint Security Framework illustrating how it can be leveraged to thwart each stage of our exploit chain, as well as generically detect advanced “document-delivered” payloads and even persistent nation-state malware!
Article - https://objective-see.com/blog/blog_0x4B.html
In the world of Windows, macro-based Office attacks are well understood (and frankly are rather old news). However on macOS though such attacks are growing in popularity and are quite en vogue, they have received far less attention from the research and security community.
In this talk, we will begin by analyzing recent macro-laden documents targeting Apple’s desktop OS, highlighting the macOS-specific exploit code and payloads. Though sophisticated APT groups are behind several of these attacks, these malicious documents and their payloads remain severely constrained by recent application and OS-level security mechanisms.
However, things could be far worse! Here, we’ll detail the creation of a powerful exploit chain that began with CVE-2019-1457, leveraged a new sandbox escape and ended with a full bypass of Apple’s stringent notarization requirements. Triggered by simply opening a malicious (macro-laced) Office document, no alerts, prompts, nor other user interactions were required in order to persistently infect even a fully-patched macOS Catalina system!
To conclude, we’ll explore Apple’s new Endpoint Security Framework illustrating how it can be leveraged to thwart each stage of our exploit chain, as well as generically detect advanced “document-delivered” payloads and even persistent nation-state malware!
Article - https://objective-see.com/blog/blog_0x4B.html