The cases of malicious software targeting Macs are increasing. Security researchers just reported that a malicious Windows .exe file is now able to infect Mac computers, and download infostealer malware accompanied by adware on their systems. The discovery comes from Trend Micro.
By default, attempting to run an EXE file on a Mac or Linux OS will only show an error notification, security researchers underlined. However, we found EXE files in the wild delivering a malicious payload that overrides Mac’s built-in protection mechanisms such as Gatekeeper.
macOS Gatekeeper Evaded in Tricky Attack
These exe files evade Gatekeeper’s protection because they are not checked by the software, designed to check only native Mac files. This leads to bypassing the code signature check and verification. The researchers were able to determine that the highest numbers for infections are in the UK, Australia, Armenia, Luxembourg, South Africa, and the US.
The researchers obtained a sample of a popular firewall app for Mac and Windows called Little Snitch. The app was available for download on various torrent sites. “When the downloaded .ZIP file is extracted, it contains a .DMG file hosting the installer for Little Snitch”, the report explains.
While inspecting the contents of the installer, the researchers discovered the unusual presence of the .exe file which was bundled inside. The .exe file turned out to be a Windows executable carrying the malicious payload.
What happens after execution of the file?
When the installer is executed, the main file also launched the executable as it is enabled by the mono framework included in the bundle. This framework allows the execution of Microsoft .NET applications across platforms such as OSX.
The malware can collect system information such as model name, model identifier, processor speed, processor details, memory, etc.
The malware is also designed to scan for all the basic and installed apps on the compromised machine, sending all the collected information to a command and control server.
It is worth noting that running exe files on non-Windows systems may have a bigger impact. Why is that?
Normally, a mono framework installed in the system is required to compile or load executables and libraries. In this case, however, the bundling of the files with the said framework becomes a workaround to bypass the systems given EXE is not a recognized binary executable by MacOS’ security features. As for the native library differences between Windows and MacOS, mono framework supports DLL mapping to support Windows-only dependencies to their MacOS counterparts, the researchers said in their report.
The researchers also believe that this evasion technique can be deployed in other attacks against macOS. It seems that cybercriminals are still analyzing the opportunities from this malware bundled in applications available for download on torrent sites. macOS users should be extra-careful.