This might seem a bit odd, but it’s a fact- new malicious Windows .exe that target macOS computers have been detected.

Security researchers at Trend Micro have discovered malicious Windows EXE files (which are supposed to run only on Windows platforms) that could bypass Mac’s security mechanisms and deliver malware on MacOS systems.

A Trend Micro blog post that gives details of this discovery; the post, authored by Don Ladores and Luis Magisa, says, “EXE is the official executable file format used for Windows to signify that they only run on Windows platforms, and to serve as a security feature. By default, attempting to run an EXE file on a Mac or Linux OS will only show an error notification…However, we found EXE files in the wild delivering a malicious payload that overrides Mac’s built-in protection mechanisms such as Gatekeeper.”

The post further says, “This routine evades Gatekeeper because EXE is not checked by this software, bypassing the code signature check and verification since the technology only checks native Mac files.”

The Trend Micro team had discovered several samples of malicious macOS application files (DMG files) that masqueraded as installers for Little Snitch, a popular firewall app for Mac and Windows that’s available for download from various torrent websites. They found, in the installer contents, the unusual presence of .EXE file that’s compiled with the Mono framework to make it compatible with macOS. The Trend Micro blog post says, “When the installer is executed, the main file also launched the executable as it is enabled by the mono framework included in the bundle. This framework allows the execution of Microsoft .NET applications across platforms such as OSX.”

The blog post explains it further- “Currently, running EXE on other platforms may have a bigger impact on non-Windows systems such as MacOS. Normally, a mono framework installed in the system is required to compile or load executables and libraries. In this case, however, the bundling of the files with the said framework becomes a workaround to bypass the systems given EXE is not a recognized binary executable by MacOS’ security features. As for the native library differences between Windows and MacOS, mono framework supports DLL mapping to support Windows-only dependencies to their MacOS counterparts.”

The researchers suspect that this malware can be used by hackers as an evasion technique for other attacks or infection attempts to bypass built-in safeguards. They feel that cybercriminals could still be studying the possibilities of using this information and routine and hence the researchers are still continuing with their investigations. Though no specific attack pattern has been discovered, the infections were the highest in the U.S, the U.K, Australia, Luxembourg, Armenia and South Africa.

To protect themselves from this attack, users should avoid downloading files, programs, and software from unverified sources and websites. They should also install multi-layered protection for their systems.

Post a comment