"While the macro feature in Microsoft Word is disabled by default, the malware will overwrite all the document files for the current user, including the clean files," Pedragoza explained. "This makes it more difficult for the user to determine whether the file is malicious since it doesn't come from an external source."
The macros included in the overwritten document are engineered to contact a remote server to retrieve additional files, which includes a Windows executable file that will not run in macOS, indicating that the attack chain is a work in progress. The binary, in turn, attempts to download the Dridex loader onto the compromised machine.
"Currently, the impact on macOS users for this Dridex variant is minimized since the payload is an exe file (and therefore not compatible with MacOS environments)," Trend Micro said. "However, it still overwrites document files which are now the carriers of Dridex's malicious macros."
thehackernews.com
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}