Malware for windows vs mac3/4/2023 Calling different route according to OS type You can see this in the the flow chart in Figure 3.įigure 3. Next, it takes a different route depending on the OS type, Apple Mac OS X or Microsoft Windows, that it is running on. The value of the “Comments” is base64 encoded, which can be read out and decoded by the VBA code below:Īfter it’s base64-decoded, we can capture the code in plaintext, which is python script, as shown below. The first thing it does is read the data from the “Comments” property of the Word file.įigure 2. Once the malicious VBA code is executed, the AutoOpen() function is automatically called. Asks victim to enable Macro security option When the Word file is opened, it shows notifies victims to enable the Macro security option, which allows the malicious VBA code to be executed. We then analyzed the sample, and in this blog we are going to explain how it works, step by step. The sample targeted both Apple Mac OS X and Microsoft Windows systems. On March 16, FortiGuard Labs captured a new Word file that spreads malware by executing malicious VBA (Visual Basic for Applications) code.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |