The malicious .exe file is downloaded from torrent sites, avoids Gatekeeper's detection
Security researchers from Trend Micro detected the new string of Mac malware. According to the report published yesterday, the newly-discovered campaign targets macOS with the help of an .exe file – an executable which would normally only work on Windows operating system and would deliver an error on Apple devices.
The malicious payload is introduced to with the help of an application downloaded from the torrent site. Inside the DMG file that pretends to be a well-known firewall app Little Snitch, a hidden payload is located – a Windows executable.
Because executable files are designed to run on Windows, Mac's security measures like Gatekeeper skip the code signature check, allowing the malware to infect the system. After payload's execution with the help of embedded Mono framework, data-stealing malware and adware are installed on the device.
This infiltration method might open new opportunities for hackers targeting Mac users to deploy malware and bypass the implemented security measures. Currently, the malware was spotted in the United Kingdom, United States, Australia, South Africa, Luxembourg, and some other countries.
Windows executable is hidden inside .DMG file
According to researchers, Little Snitch is not the only application that contains malicious Installer.exe. There are several other programs that bundle the same malware coming under such names as “Paragon_NTFS_for_Mac_OS_Sierra_Fully_Activated.zip,” “TORRENTINSTANT.COM+-+Traktor_Pro_2_for_MAC_v321.zip,” “Little_Snitch_583_MAC_OS_X.zip,” “Wondershare_Filmora_924_Patched_Mac_OSX_X.zip,” and a few others.
Once the .zip file is extracted, a setup.dmg file shows up – a macOS installer. Once the file is run, malware collects a variety of technical information, such as Model Name, Processor Details, Number of Cores, SMC Version, Serial Number, etc. Additionally, the virus reads data about multiple installed apps on the system and sends all the gathered details to a remote command & control server controlled by hackers.
Furthermore, malware uploads several files onto macOS which are immediately executed. During this time, users can view what appears to be an installer of the notorious Adobe Flash Player. With this, numerous potentially unwanted applications get installed, including Adware.MacOS.MacSearch.A, Adware.MacOS.GENIEO.AB, and others.
The payload includes Mono framework which allows the executable to be used on Mac
By default, macOS would never be able to run an executable file designed for Windows operating systems. However, hackers used a smart solution for that matter – they bundled an open source implementation of Microsoft's .NET Framework called Mono:
Currently, running EXE on other platforms may have a bigger impact on non-Windows systems such as MacOS. Normally, a mono framework installed in the system is required to compile or load executables and libraries. In this case, however, the bundling of the files with the said framework becomes a workaround to bypass the systems given EXE is not a recognized binary executable by MacOS’ security features. As for the native library differences between Windows and MacOS, mono framework supports DLL mapping to support Windows-only dependencies to their MacOS counterparts.
To everyone's surprise, the executable, called Installer.exe, was not responsive when tested on Windows OS.
To conclude, researchers from Trend Micro said that the threat is going to expand in the near future, as this particular string of malware can be used as an evasion technique for other attack or infection attempts to bypass some built-in safeguards such as digital certification checks.” Mac users should take extra precautionary steps to avoid malicious software installed on their devices:
Users should avoid or refrain from downloading files, programs, and software from unverified sources and websites, and install a multi-layered protection for their individual and enterprise systems.