Connect with us

Hi, what are you looking for?



Windows App Caught Running on Mac, Installing Malware

A Windows application was recently observed packing the ability to run on Macs and download and install malware on the target systems.

A Windows application was recently observed packing the ability to run on Macs and download and install malware on the target systems.

Despite featuring the EXE extension, which is the official executable file format for Windows, the application can run on macOS and override the platform’s built-in protection mechanisms, such as Gatekeeper, to deliver a malicious payload.

This is possible because Gatekeeper only verifies native Mac files and won’t check the EXE extension, which results in the bypass of the code signature check and verification.

The threat has been already observed infecting systems in the United Kingdom, Australia, Armenia, Luxembourg, South Africa and the United States.

Windows executables compiled with .NET are distributed inside ZIP archives that claim to be Mac applications. The archives do contain a .DMG file hosting the installer for Little Snitch, but an EXE file is also found bundled in the installer, Trend Micro warns.

When executed, the installer launches the EXE file, an operation enabled by the Mono framework included in the bundle (which allows for the execution of Microsoft .NET applications across platforms).

When executed, the EXE file collects system information such as model name and identifier, processor speed and details, number of processors, number of cores, memory, boot ROM version, SMC version, serial number, and UUID.

Advertisement. Scroll to continue reading.

The Windows file also scans for the basic and installed apps and sends all the information to the command and control (C&C) server.

The malicious program also downloads a series of files from the Internet and executes them as soon as they are ready, while also displaying a potentially unwanted application during execution.

According to Trend Micro’s security researchers, the malware was specifically designed to run only on macOS. When attempting to run the sample in a Windows environment, an error notification is displayed instead.

The researchers warn that running EXE files on non-Windows systems could have a higher impact. Mono is normally required to load such files, but attackers are abusing the framework as a workaround to bypass the system’s protections.

“We suspect that this specific malware can be used as an evasion technique for other attack or infection attempts to bypass some built-in safeguards such as digital certification checks since it is an unsupported binary executable in Mac systems by design,” Trend Micro’s researchers note.

“We think that the cybercriminals are still studying the development and opportunities from this malware bundled in apps and available in torrent sites, and therefore we will continue investigating how cybercriminals can use this information and routine,” they conclude.

Related: Mac Malware Steals Browser Cookies, Sensitive Data

Related: New Mac Malware Combines Open-Source Backdoor and Crypto-Miner

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...