Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Windows App Caught Running on Mac, Installing Malware

A Windows application was recently observed packing the ability to run on Macs and download and install malware on the target systems.

A Windows application was recently observed packing the ability to run on Macs and download and install malware on the target systems.

Despite featuring the EXE extension, which is the official executable file format for Windows, the application can run on macOS and override the platform’s built-in protection mechanisms, such as Gatekeeper, to deliver a malicious payload.

This is possible because Gatekeeper only verifies native Mac files and won’t check the EXE extension, which results in the bypass of the code signature check and verification.

The threat has been already observed infecting systems in the United Kingdom, Australia, Armenia, Luxembourg, South Africa and the United States.

Windows executables compiled with .NET are distributed inside ZIP archives that claim to be Mac applications. The archives do contain a .DMG file hosting the installer for Little Snitch, but an EXE file is also found bundled in the installer, Trend Micro warns.

When executed, the installer launches the EXE file, an operation enabled by the Mono framework included in the bundle (which allows for the execution of Microsoft .NET applications across platforms).

When executed, the EXE file collects system information such as model name and identifier, processor speed and details, number of processors, number of cores, memory, boot ROM version, SMC version, serial number, and UUID.

The Windows file also scans for the basic and installed apps and sends all the information to the command and control (C&C) server.

Advertisement. Scroll to continue reading.

The malicious program also downloads a series of files from the Internet and executes them as soon as they are ready, while also displaying a potentially unwanted application during execution.

According to Trend Micro’s security researchers, the malware was specifically designed to run only on macOS. When attempting to run the sample in a Windows environment, an error notification is displayed instead.

The researchers warn that running EXE files on non-Windows systems could have a higher impact. Mono is normally required to load such files, but attackers are abusing the framework as a workaround to bypass the system’s protections.

“We suspect that this specific malware can be used as an evasion technique for other attack or infection attempts to bypass some built-in safeguards such as digital certification checks since it is an unsupported binary executable in Mac systems by design,” Trend Micro’s researchers note.

“We think that the cybercriminals are still studying the development and opportunities from this malware bundled in apps and available in torrent sites, and therefore we will continue investigating how cybercriminals can use this information and routine,” they conclude.

Related: Mac Malware Steals Browser Cookies, Sensitive Data

Related: New Mac Malware Combines Open-Source Backdoor and Crypto-Miner

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.