Antivirus firm Trend Micro have discovered a way hackers are bypassing Apple’s macOS security protection and infecting computers by deploying *.EXE files that normally run only on Windows.
Researchers found samples of macOS application (.dmg) as installers for popular software on a torrent website that includes an EXE application compiled with Mono framework to make it compatible with macOS.
Usually, running any Windows executable results in error on macOS systems, and its built-in protection mechanisms such as Gatekeeper also skips scanning .exe files for any malicious code.
“This routine evades Gatekeeper because EXE is not checked by this software, bypassing the code signature check and verification since the technology only checks native Mac files,” Trend Micro said in a blog post published Monday.
The installer promises to install the Little Snitch firewall application, but also comes with the mono-compiled payload. Its job is to collect and send system information about the victim’s computer to a remote server controlled by the hackers.
Once the installation is finished, the malware also downloads and prompts users to install other adware apps, disguised as legitimate versions of Adobe Flash Media Player and Little Snitch.
The researchers found “no specific attack pattern”, but according to their telemetry the highest numbers of infected PCs were from the United Kingdom, Australia, Armenia, Luxembourg, South Africa, and the United States.
Also the researchers were not able to run the same file on Windows—any attempts would result in an error. It seems clear enough that this malware has been designed to target macOS users only.
“Currently, running EXE on other platforms may have a bigger impact on non-Windows systems such as MacOS. Normally, a mono framework installed in the system is required to compile or load executables and libraries,” researchers explained.
“In this case, however, the bundling of the files with the said framework becomes a workaround to bypass the systems given EXE is not a recognized binary executable by MacOS’ security features. As for the native library differences between Windows and MacOS, the mono framework supports DLL mapping to support Windows-only dependencies to their MacOS counterparts.”
To protect yourself from being a victim to the malware you should avoid downloading apps, tools, or any other files from any untrusted source.