Malicious Windows app can bypass macOS security to steal data
Cyber criminals are using .EXE files to target macOS users specifically
Researchers have discovered a malicious Windows application that can bypass Apple's macOS safeguards to collect a user's system information and data about other apps installed like Facebook or iTunes.
The malware, which is specifically targeting Mac users, delivers its payload to a user's machine through an .EXE file that overrides Mac's built-in protection mechanisms such as Gatekeeper, according to researchers at Trend Micro.
Once the payload is executed, the malware contains a stream of system information including the model name, serial number, and hardware information such as memory and processor details. It also scans installed apps, before sending this harvested data to the command and control server. These include apps such as App Store, FaceTime, and Notes.
"We suspect that this specific malware can be used as an evasion technique for other attack or infection attempts to bypass some built-in safeguards such as digital certification checks since it is an unsupported binary executable in Mac systems by design," said Trend Mico's Don Ladores and Luis Magisa.
"We think that the cybercriminals are still studying the development and opportunities from this malware bundled in apps and available in torrent sites, and therefore we will continue investigating how cybercriminals can use this information and routine.
"Users should avoid or refrain from downloading files, programs, and software from unverified sources and websites, and install a multi-layered protection for their individual and enterprise systems."
The .EXE file was found buried in an installer of a popular firewall app called Little Snitch, which can be sourced from a number of torrent sites. Infected users downloaded and extracted a .ZIP file which in turn contained a .DMG file which hosted the Little Snitch installer.
The researchers concluded that the .EXE file was a Windows executable responsible for delivering the malicious payload.
The malicious Little Snitch applications are also compiled with Mono framework, an open source iteration of Microsoft's .NET Framework for cross-platform .NET application development, to make them compatible with macOS. This means the .EXE is able to evade protection mechanisms such as Mac's Gatekeeper because the software only scans for native Mac files.
Running this malicious .EXE on Windows displays an error notification, Trend Micro's researchers added, indicating the malware is designed to target macOS users specifically.
Although there is no specific attack pattern, Trend Micro's telemetry data showed relatively high activity in a host of countries including the UK, US, Australia and South Africa.
Macs were once heralded as being 'virus-free', with cyber criminals far more likely to invest in mechanisms to target users on Windows machines. But in the last decade or so macOS has become a far bigger target, and particularly in recent years, with macOS malware soaring 270% in 2017 for instance.
According to a MalwareBytes report, four new malware threats were discovered in the first two months of 2018 alone, and the majority of these security threats are actually being unearthed by users rather than security researchers themselves.
The IT Pro guide to Windows 10 migration
Everything you need to know for a successful transitionDownload now
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Software-defined storage for dummies
Control storage costs, eliminate storage bottlenecks and solve storage management challengesDownload now
6 best practices for escaping ransomware
A complete guide to tackling ransomware attacksDownload now