Malicious Windows app can bypass macOS security to steal data

Cyber criminals are using .EXE files to target macOS users specifically

Researchers have discovered a malicious Windows application that can bypass Apple's macOS safeguards to collect a user's system information and data about other apps installed like Facebook or iTunes.

The malware, which is specifically targeting Mac users, delivers its payload to a user's machine through an .EXE file that overrides Mac's built-in protection mechanisms such as Gatekeeper, according to researchers at Trend Micro.

Once the payload is executed, the malware contains a stream of system information including the model name, serial number, and hardware information such as memory and processor details. It also scans installed apps, before sending this harvested data to the command and control server. These include apps such as App Store, FaceTime, and Notes.

"We suspect that this specific malware can be used as an evasion technique for other attack or infection attempts to bypass some built-in safeguards such as digital certification checks since it is an unsupported binary executable in Mac systems by design," said Trend Mico's Don Ladores and Luis Magisa.

Advertisement - Article continues below
Advertisement - Article continues below

"We think that the cybercriminals are still studying the development and opportunities from this malware bundled in apps and available in torrent sites, and therefore we will continue investigating how cybercriminals can use this information and routine.

"Users should avoid or refrain from downloading files, programs, and software from unverified sources and websites, and install a multi-layered protection for their individual and enterprise systems."

The .EXE file was found buried in an installer of a popular firewall app called Little Snitch, which can be sourced from a number of torrent sites. Infected users downloaded and extracted a .ZIP file which in turn contained a .DMG file which hosted the Little Snitch installer.

The researchers concluded that the .EXE file was a Windows executable responsible for delivering the malicious payload.

The malicious Little Snitch applications are also compiled with Mono framework, an open source iteration of Microsoft's .NET Framework for cross-platform .NET application development, to make them compatible with macOS. This means the .EXE is able to evade protection mechanisms such as Mac's Gatekeeper because the software only scans for native Mac files.

Running this malicious .EXE on Windows displays an error notification, Trend Micro's researchers added, indicating the malware is designed to target macOS users specifically.

Advertisement - Article continues below

Although there is no specific attack pattern, Trend Micro's telemetry data showed relatively high activity in a host of countries including the UK, US, Australia and South Africa.

Macs were once heralded as being 'virus-free', with cyber criminals far more likely to invest in mechanisms to target users on Windows machines. But in the last decade or so macOS has become a far bigger target, and particularly in recent years, with macOS malware soaring 270% in 2017 for instance.

According to a MalwareBytes report, four new malware threats were discovered in the first two months of 2018 alone, and the majority of these security threats are actually being unearthed by users rather than security researchers themselves.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now



Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019

Best free malware removal tools 2019

23 Dec 2019
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020