Malicious Windows app can bypass macOS security to steal data

Cyber criminals are using .EXE files to target macOS users specifically

Researchers have discovered a malicious Windows application that can bypass Apple's macOS safeguards to collect a user's system information and data about other apps installed like Facebook or iTunes.

The malware, which is specifically targeting Mac users, delivers its payload to a user's machine through an .EXE file that overrides Mac's built-in protection mechanisms such as Gatekeeper, according to researchers at Trend Micro.

Once the payload is executed, the malware contains a stream of system information including the model name, serial number, and hardware information such as memory and processor details. It also scans installed apps, before sending this harvested data to the command and control server. These include apps such as App Store, FaceTime, and Notes.

"We suspect that this specific malware can be used as an evasion technique for other attack or infection attempts to bypass some built-in safeguards such as digital certification checks since it is an unsupported binary executable in Mac systems by design," said Trend Mico's Don Ladores and Luis Magisa.

Advertisement - Article continues below

"We think that the cybercriminals are still studying the development and opportunities from this malware bundled in apps and available in torrent sites, and therefore we will continue investigating how cybercriminals can use this information and routine.

"Users should avoid or refrain from downloading files, programs, and software from unverified sources and websites, and install a multi-layered protection for their individual and enterprise systems."

The .EXE file was found buried in an installer of a popular firewall app called Little Snitch, which can be sourced from a number of torrent sites. Infected users downloaded and extracted a .ZIP file which in turn contained a .DMG file which hosted the Little Snitch installer.

The researchers concluded that the .EXE file was a Windows executable responsible for delivering the malicious payload.

The malicious Little Snitch applications are also compiled with Mono framework, an open source iteration of Microsoft's .NET Framework for cross-platform .NET application development, to make them compatible with macOS. This means the .EXE is able to evade protection mechanisms such as Mac's Gatekeeper because the software only scans for native Mac files.

Running this malicious .EXE on Windows displays an error notification, Trend Micro's researchers added, indicating the malware is designed to target macOS users specifically.

Although there is no specific attack pattern, Trend Micro's telemetry data showed relatively high activity in a host of countries including the UK, US, Australia and South Africa.

Macs were once heralded as being 'virus-free', with cyber criminals far more likely to invest in mechanisms to target users on Windows machines. But in the last decade or so macOS has become a far bigger target, and particularly in recent years, with macOS malware soaring 270% in 2017 for instance.

According to a MalwareBytes report, four new malware threats were discovered in the first two months of 2018 alone, and the majority of these security threats are actually being unearthed by users rather than security researchers themselves.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now



Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Best antivirus for Windows 10

3 Sep 2019

Best free malware removal tools 2019

8 Mar 2019

Most Popular

identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019

Five signs that it’s time to retire IT kit

29 Nov 2019

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019