Windows App Caught Running on Mac, Installing Malware

A Windows application was recently observed packing the ability to run on Macs and download and install malware on the target systems.

Despite featuring the EXE extension, which is the official executable file format for Windows, the application can run on macOS and override the platform’s built-in protection mechanisms, such as Gatekeeper, to deliver a malicious payload.

This is possible because Gatekeeper only verifies native Mac files and won’t check the EXE extension, which results in the bypass of the code signature check and verification.

The threat has been already observed infecting systems in the United Kingdom, Australia, Armenia, Luxembourg, South Africa and the United States.

Windows executables compiled with .NET are distributed inside ZIP archives that claim to be Mac applications. The archives do contain a .DMG file hosting the installer for Little Snitch, but an EXE file is also found bundled in the installer, Trend Micro warns.

When executed, the installer launches the EXE file, an operation enabled by the Mono framework included in the bundle (which allows for the execution of Microsoft .NET applications across platforms).

When executed, the EXE file collects system information such as model name and identifier, processor speed and details, number of processors, number of cores, memory, boot ROM version, SMC version, serial number, and UUID.

The Windows file also scans for the basic and installed apps and sends all the information to the command and control (C&C) server.

The malicious program also downloads a series of files from the Internet and executes them as soon as they are ready, while also displaying a potentially unwanted application during execution.

According to Trend Micro’s security researchers, the malware was specifically designed to run only on macOS. When attempting to run the sample in a Windows environment, an error notification is displayed instead.

The researchers warn that running EXE files on non-Windows systems could have a higher impact. Mono is normally required to load such files, but attackers are abusing the framework as a workaround to bypass the system’s protections.

“We suspect that this specific malware can be used as an evasion technique for other attack or infection attempts to bypass some built-in safeguards such as digital certification checks since it is an unsupported binary executable in Mac systems by design,” Trend Micro’s researchers note.

“We think that the cybercriminals are still studying the development and opportunities from this malware bundled in apps and available in torrent sites, and therefore we will continue investigating how cybercriminals can use this information and routine,” they conclude.

Related: Mac Malware Steals Browser Cookies, Sensitive Data

Related: New Mac Malware Combines Open-Source Backdoor and Crypto-Miner