An ’80s File Format Enabled Stealthy Mac Hacking
Microsoft Office macros have long been a crude but effective tool in the hands of hackers: Trick someone into opening an attachment and clicking “allow” to enable macros, and a simple Word document can run a script of commands that serves as the first step toward taking over their device. While that macro trick has increasingly been used to target Microsoft Office on macOS, one Mac hacker sought out a stealthier and more reliable method of exploiting it. He found one in an obscure, 30-year-old file format.
At the Black Hat security conference today, former NSA hacker Patrick Wardle plans to detail that technique, which exploits a series of vulnerabilities in both Microsoft Office and macOS to gain full access to the target Mac. One of those bugs relates to how Excel handles a certain, largely outdated file type called Symbolic Link. SYLK hasn’t been in common use since the 1980s, but it provided a link in the chain that fully bypassed Microsoft Office’s security restrictions on macros. Combined with other vulnerabilities in macOS, Wardle’s technique—which Apple patched after he alerted the company to it earlier this year—would have allowed a hacker to take over a target computer with no warning when their target merely clicked on a malicious attachment.
“The system is fully owned and infected,” says Wardle, principal security researcher at Apple-focused security firm Jamf and the author of the forthcoming The Art of Mac Malware. “And there’s no sign the attack is occurring.”
Wardle says he first became curious about Mac-targeted macro attacks around 2017, when security firms began to warn about their use against Apple customers rather than the typical Windows victims. More Mac-targeted macro attacks surfaced in 2018 and 2019, including Kaspersky’s discovery in 2019 that North Korean hackers were apparently using macros to steal cryptocurrency from Mac users. As Macs became more prevalent in the workplace, so did the threat from macro-based attacks.
“We were seeing interest from hacker groups. So I wondered, could things be worse? Is this something we should be paying more attention to, or are these lame attacks?” Wardle says. So he decided to see if he could develop a more powerful Mac-targeted macro attack, one that wouldn’t require the victim to click “allow” and that wouldn’t be confined to the so-called sandbox that limits an application’s access to the rest of the computer, preventing it from stealing files or installing persistent malware. “Working at the NSA corrupted my mind and filled it with evil ideas,” Wardle says. “I basically wanted to come up with a macro-based attack that I wouldn’t be embarrassed to use against a target.”
In October of last year, Wardle saw that Dutch researchers Stan Hegt and Pieter Ceelen revealed an intriguing bug in Microsoft Office. Excel failed to warn the user before running any macro contained in a file in the SYLK file format, an almost-forgotten file type but one with which Microsoft Office had maintained compatibility. The trick worked by default in a 2011 version of Microsoft Office, bypassing any macro warning. But it also worked, ironically, in more recent versions when a user or an administrator had set the program to its most secure configuration. When Excel was set to disable all macros with no notice to the user, it instead ran SYLK file macros automatically.
The vulnerability, Hegt explains, stems from Microsoft’s use of entirely different code to manage the old SYLK files than the code used to handle more recent file formats. “There are two different macro engines in one product, and that’s a very interesting starting place for research,” Hegt says.
The Dutch researchers warned Microsoft about the vulnerability, but the company didn’t issue a patch, in part because a hacker that used it would still be stranded in Microsoft Office’s sandbox. But it took Wardle only two days of work, he says, to chain together a series of tricks to break out of Microsoft Office’s quarantine and into the rest of the computer.