A Windows application was recently observed packing the ability to run on Macs and download and install malware on the target systems.
Despite featuring the EXE extension, which is the official executable file format for Windows, the application can run on macOS and override the platform’s built-in protection mechanisms, such as Gatekeeper, to deliver a malicious payload.
This is possible because Gatekeeper only verifies native Mac files and won’t check the EXE extension, which results in the bypass of the code signature check and verification.
The threat has been already observed infecting systems in the United Kingdom, Australia, Armenia, Luxembourg, South Africa and the United States.
Windows executables compiled with .NET are distributed inside ZIP archives that claim to be Mac applications. The archives do contain a .DMG file hosting the installer for Little Snitch, but an EXE file is also found bundled in the installer, Trend Micro warns.
When executed, the installer launches the EXE file, an operation enabled by the Mono framework included in the bundle (which allows for the execution of Microsoft .NET applications across platforms).
When executed, the EXE file collects system information such as model name and identifier, processor speed and details, number of processors, number of cores, memory, boot ROM version, SMC version, serial number, and UUID.
The Windows file also scans for the basic and installed apps and sends all the information to the command and control (C&C) server.
The malicious program also downloads a series of files from the Internet and executes them as soon as they are ready, while also displaying a potentially unwanted application during execution.
According to Trend Micro’s security researchers, the malware was specifically designed to run only on macOS. When attempting to run the sample in a Windows environment, an error notification is displayed instead.
The researchers warn that running EXE files on non-Windows systems could have a higher impact. Mono is normally required to load such files, but attackers are abusing the framework as a workaround to bypass the system’s protections.
“We suspect that this specific malware can be used as an evasion technique for other attack or infection attempts to bypass some built-in safeguards such as digital certification checks since it is an unsupported binary executable in Mac systems by design,” Trend Micro’s researchers note.
“We think that the cybercriminals are still studying the development and opportunities from this malware bundled in apps and available in torrent sites, and therefore we will continue investigating how cybercriminals can use this information and routine,” they conclude.
Related: Mac Malware Steals Browser Cookies, Sensitive Data
Related: New Mac Malware Combines Open-Source Backdoor and Crypto-Miner

More from Ionut Arghire
- Microsoft Makes SMB Signing Default Requirement in Windows 11 to Boost Security
- Zyxel Urges Customers to Patch Firewalls Against Exploited Vulnerabilities
- Gigabyte Rolls Out BIOS Updates to Remove Backdoor From Motherboards
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
Latest News
- What if the Current AI Hype Is a Dead End?
- Microsoft Makes SMB Signing Default Requirement in Windows 11 to Boost Security
- Zyxel Urges Customers to Patch Firewalls Against Exploited Vulnerabilities
- Gigabyte Rolls Out BIOS Updates to Remove Backdoor From Motherboards
- SBOMs – Software Supply Chain Security’s Future or Fantasy?
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
