Hackers think of a way to place Windows malware on macOS

Malware developers are looking for new ways to infect Mac users with .exe files. They normally only work on Windows devices, but according to Trend Micro security researchers, hackers are trying to find ways to change that.

Trend Micro researchers looked at an app on a torrent site that would install Little Snitch. That’s a firewall app for macOS. But the DMG file also contained an .exe file with a hidden content. The investigators think the hackers are trying to avoid Gatekeeper in this way. This is a security feature of macOS that requires apps to be drawn before the OS installs them. Exe files are not included, because Gatekeeper only looks at native macOS files.

Bypassing security

Trend Micro researchers therefore suspect that the developers of the malware are trying to circumvent the security of macOS in this way. They think so because .exe files just work on Mac devices. We think cybercriminals are still looking at the opportunities for this malware when they deliver it with apps and make it available on torrent sites. So we will continue to investigate how cybercriminals can use this information.

By default, an .exe file does not work on a mac device. The installer found by Trend Micro researchers works around it by bundling the .exe file with the Mono framework. That allows Windows apps to run on macOS, Android and other operating systems. The DLL mapping and other support needed to deliver the malware were also built in. Remarkably, the researchers could not run the .exe file on Windows.

The Little Snitch installer collected a lot of information. The unique ID, the model number and the apps on a device were mapped out. In addition, the malware downloaded and installed various adware apps. Some of them were disguised as legitimate versions of Little Snitch and Adobes Flash Media Player.