MacControl is classified by cybersecurity analysts as a late-stage Trojan threat that is designed to target Mac users specifically. If MacControl manages to embed itself onto the user's computer successfully, it would provide the attackers with a broad level of control over the compromised device. 

MacControl was delivered through a targeted attack campaign that saw the dissemination of weaponized word documents among Mac users. To gain a foothold on the system, the hackers exploited an old Office for Mac vulnerability. The exploit emerges whenever Microsoft Office Word attempts to handle a Word document that was created to include a malformed record specifically. Through the vulnerability, the threat actor can achieve remote code execution privileges. The cybercriminals could install programs, manipulate the file system, create new accounts with full user rights, etc. It appears that users with accounts possessing limited rights are less impacted by the threat, compared to users with full administrative rights.

MacControl Attack Chain

The first step of the attack is the delivery of the email containing the Trojanized Word document as an attachment. Whenever the user opens the corrupted document with Office for Mac, it triggers the initial corrupted payload that copies itself to the memory. In the second stage of the attack, several files are copied to the /tmp/ folder on the disk, and then a corrupted script is executed.

During the next stage, the first real malware threat is dropped on the infected system. It is a previously detected threat with a Command-and-Control server based in New York. The attack contains one more step and it is here that the MacControl, previously unknown malware creation, is delivered to the computer. Several different versions of MacControl have been observed by infosec researchers, each designed to work on a different architecture.

MacControl Attack Shows Ties to China

Strong evidence has been uncovered pointing towards the criminals responsible for MacControl being located or having ties to China. The lure Word documents used to initiate the attack talk about poignant regional issues and are structured to appear as a letter addressed to the United Nations Human Rights Commission. The topic is the anniversary of the Tibetan uprising against China. Another link was discovered when researchers found out that the Command-and-Control infrastructure for MacControl was also based in China.


Most Viewed