Apple Updates macOS to Detect Malware Disguised in Windows EXE Files

Apple has reportedly updated the macOS XProtect anti-malware framework to protect Macs against an innovative type of attack carried out using cross-platform Windows executable files. Usually considered harmless because they can't run on macOS, Windows EXE files have recently been used because of the emergence of cross-platform software frameworks, particularly one called Mono, which can be used to run EXE files created specifically for it. The unnamed malware, first reported in February this year, bundled such seemingly innocuous files with pirated copies of popular Mac apps, and included the Mono framework to ensure that they would be able to run on Macs. Infected Macs then sent personally identifying information to a remote server and had even more malware sent to them including advertising spam.

The threat was first reported by Trend Micro, after the security firm detected such infections in the US, UK, Europe, Australia, and South Africa. Now, Apple appears to have updated XProtect, which works in conjunction with the Gatekeeper and File Quarantine tools, to detect and such executables and prevent them from causing harm. 

Bleeping Computer reports that macOS security expert Patrick Wardle has tweeted a screenshot and information about two new rules added to XProtect on April 19, which specifically protect against Windows executables. Wardle explained his findings in a Twitch live stream on Tuesday and has said that he will soon make the video available on his YouTube channel.

The Mono framework is an implementation of Microsoft's .NET software development environment, and is developed and maintained by Microsoft subsidiary Xamarin. It allows Windows developers to map DLL file dependencies to alternatives in other host OS environments including macOS, Android, iOS, multiple Linux distributions, and even some embedded operating systems such as the ones used by popular game consoles.

Apple appears to have taken this threat very seriously. Many users might have been taken in assuming that Windows files cannot cause any trouble on Macs, but this is no longer true thanks to tools like the Mono Framework, which are going to become more popular over time.  Users should now see familiar macOS Gatekeeper warnings when suspicious EXE files are detected or when a user tries to run them. The rules include the names of known adware.

The XProtect updates were released without any announcement from Apple. It does not have any visible interface in macOS, but it ties into File Quarantine, which confirms whether a user wants to run files downloaded from the Internet and shows the user when they were downloaded and through which application. If the file contains known malware, File Quarantine will warn users that it will harm their computers. Recent versions of macOS include Gatekeeper, which allows digitally signed files from trusted developers to be allowed to run without throwing up such alerts.