Malicious Windows app can bypass macOS security to steal data

Cyber criminals are using .EXE files to target macOS users specifically

Researchers have discovered a malicious Windows application that can bypass Apple's macOS safeguards to collect a user's system information and data about other apps installed like Facebook or iTunes.

The malware, which is specifically targeting Mac users, delivers its payload to a user's machine through an .EXE file that overrides Mac's built-in protection mechanisms such as Gatekeeper, according to researchers at Trend Micro.

Once the payload is executed, the malware contains a stream of system information including the model name, serial number, and hardware information such as memory and processor details. It also scans installed apps, before sending this harvested data to the command and control server. These include apps such as App Store, FaceTime, and Notes.

"We suspect that this specific malware can be used as an evasion technique for other attack or infection attempts to bypass some built-in safeguards such as digital certification checks since it is an unsupported binary executable in Mac systems by design," said Trend Mico's Don Ladores and Luis Magisa.

"We think that the cybercriminals are still studying the development and opportunities from this malware bundled in apps and available in torrent sites, and therefore we will continue investigating how cybercriminals can use this information and routine.

"Users should avoid or refrain from downloading files, programs, and software from unverified sources and websites, and install a multi-layered protection for their individual and enterprise systems."

The .EXE file was found buried in an installer of a popular firewall app called Little Snitch, which can be sourced from a number of torrent sites. Infected users downloaded and extracted a .ZIP file which in turn contained a .DMG file which hosted the Little Snitch installer.

The researchers concluded that the .EXE file was a Windows executable responsible for delivering the malicious payload.

The malicious Little Snitch applications are also compiled with Mono framework, an open source iteration of Microsoft's .NET Framework for cross-platform .NET application development, to make them compatible with macOS. This means the .EXE is able to evade protection mechanisms such as Mac's Gatekeeper because the software only scans for native Mac files.

Running this malicious .EXE on Windows displays an error notification, Trend Micro's researchers added, indicating the malware is designed to target macOS users specifically.

Although there is no specific attack pattern, Trend Micro's telemetry data showed relatively high activity in a host of countries including the UK, US, Australia and South Africa.

Macs were once heralded as being 'virus-free', with cyber criminals far more likely to invest in mechanisms to target users on Windows machines. But in the last decade or so macOS has become a far bigger target, and particularly in recent years, with macOS malware soaring 270% in 2017 for instance.

According to a MalwareBytes report, four new malware threats were discovered in the first two months of 2018 alone, and the majority of these security threats are actually being unearthed by users rather than security researchers themselves.

Featured Resources

Become a digital service provider

How to transform your business from network core to edge

Download now

Optimal business results with the cloud

Evaluating the best approaches to hybrid cloud adoption

Download now

Virtualisation that enables choices, not compromises

Harness the virtualisation technology that's right for your hybrid infrastructure

Download now

Email security threat report 2020

Four key trends from spear fishing to credentials theft

Download now

Recommended

How LogPoint uses MITRE ATT&CK
Whitepaper

How LogPoint uses MITRE ATT&CK

15 Jan 2021
Weekly threat roundup: Microsoft Defender, Adobe, Mimecast
vulnerability

Weekly threat roundup: Microsoft Defender, Adobe, Mimecast

14 Jan 2021
Mimecast admits hackers accessed users’ Microsoft accounts
Security

Mimecast admits hackers accessed users’ Microsoft accounts

13 Jan 2021
What is public key infrastructure (PKI)?
Security

What is public key infrastructure (PKI)?

12 Jan 2021

Most Popular

What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

12 Jan 2021
Can Pat Gelsinger get Intel back on track?
chief executive officer (CEO)

Can Pat Gelsinger get Intel back on track?

13 Jan 2021
150,000 arrest records accidentally deleted from police database
data management

150,000 arrest records accidentally deleted from police database

15 Jan 2021