Mac backdoor Trojan embedded inside boobytrapped Word documents

Apple store. Image credit: pcruciatti / Shutterstock.comThe folks at AlienVault discovered an interesting new Mac malware attack this week.

A backdoor Trojan horse, which would allow a remote hacker to access your Mac computer without your knowledge and potentially snoop on your files and activity, has been discovered hidden inside a boobytrapped Word document.

The targeted attack relies upon a critical security vulnerability discovered in Microsoft Word back in 2009, which allowed remote code execution (MS09-027).

In a nutshell, if you open the boobytrapped Word document, a Trojan horse gets dropped onto your Mac opening a backdoor for remote hackers. Furthermore, a decoy document called file.doc is also dumped onto your drive.

Sign up to our free newsletter.
Security news, advice, and tips.

Dropped decoy Word document

The nature of the decoy document, which claims to be about Human Rights abuses in Tibet by the Chinese, is sure to raise some eyebrows.

Inevitably there will be speculation that this attack is related to ‘Ghostnet’, the alleged campaign by China to spy via the internet on pro-Tibet organisations, including the Tibetan government-in-exile and the private office of the Dalai Lama.

If that’s the case, then it would seem that ‘Ghostnet’ is now targeting Mac users inside organisations sympathetic to Tibet and banned Chinese groups.

And don’t be fooled into thinking that you are protected by Mac OS X itself, which will ask for an administrator’s username and password to install software. You won’t see any prompt for credentials when this malware installs, as it is a userland Trojan.

Neither the /tmp/ nor /$HOME/Library/LaunchAgents folders on Mac OS X require root privileges – meaning that software applications can run in userland with no difficulties, and even open up network sockets to transfer data.

Mac malware hex dump

Sophos anti-virus products detect the malformed Word documents as Troj/DocOSXDr-A and the Mac backdoor Trojan horse as OSX/Bckdr-RLG. The servers that the malware attempts to communicate with have been categorised by Sophos as malware repositories since at least 2009.

Once again, Mac users need to remember to not be complacent about the security of their computers. Although there is much less malware for Mac than there is for Windows, that is going to be no compensation if you happen to be targeted by an attack like this.

If you’re not already doing so, run anti-virus software on your Macs. If you’re a home user, there really is no excuse at all as we offer a free anti-virus for Mac consumers.

Image credit: pcruciatti / Shutterstock.com


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.