This story is over 5 years old.

These Hackers Cleverly Disguised Their Malware as a Document About Trump’s Victory

Hackers likely working for a government used an old trick to target victims with a malicious document that mentioned the new US president.
Image: Evan El-Amin/Shutterstock

Malicious hackers have long used Microsoft Word macros—essentially small programs embedded within documents—to spread malware to victims using Windows operating systems. It's a really old trick, but it's been having a comeback lately, so much so that hackers likely working for a government just used this technique to target Mac victims with a Donald Trump-related bait.

A security researcher found a file on VirusTotal, a Google-owned online malware repository, that was titled "U.S. Allies and Rivals Digest Trump's Victory - Carnegie Endowment for International Peace," apparently after an actual report from the organization. As another researcher found out, that file is actually malware that tries to hack the victim's computer using macros, and only works on Word for Apple's operating system MacOS.


Read more: The Motherboard Guide to Not Getting Hacked

While malware using macros has been around for ages, there hasn't been a lot—if any—malware using macros specifically targeting Mac users. And according to Snorre Fagerland, the researcher who spotted the malware, it's likely that this was used by a government-sponsored group.
"I really can't point the finger at anyone for this," Fagerland, who is a researcher for Symantec, told Motherboard in a Twitter chat. "But there are some indicators pointing towards Russian speakers (which actually can mean many countries), and even that could be faked."

Fagerland explained that the document's name is very unusual for mass-produced malware that criminals would use to lure a lot of people into opening an attachment. Moreover, the hacker's operational security, or OPSEC, is "very tight," meaning they used throwaway domains for their command and control server, and that server was online only for a limited amount of time. In other words, these are the type of techniques that government hackers, or Advanced Persistent Threat (APT) as they are called in industry jargon, would use, according to Fagerland.

"By using a macros in Word document they are exploiting the weakest link: humans!"

Former NSA hacker and security researcher Patrick Wardle, with the help of Fagerland and others, analyzed the malicious malware and found that it doesn't actually run on Windows, but only  on MacOS. Wardle tested the malware and discovered that it triggers a warning in MacOS's Word, asking the would-be victim to enable macros. If the target falls for it, the malware then downloads a second-stage payload,


Unfortunately, the researchers couldn't analyze this second-stage malware because the server hosting it was already down, although it's been previously associated with phishing activities. But there's no way to know exactly what was the actual goal of the hackers.

Still, this simple malware, which uses an old trick, once again shows that attackers will go where victims are—Windows or Mac, hackers don't care. But also that trying to trick users into enabling macros is still a viable technique to hack people.

"By using a macros in Word document they are exploiting the weakest link," Wardle wrote. "humans!"

That's why it's important to disable macros by default and not enable them if a weird documents asks you to so.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.