Malware for macOS Uses Windows EXE Files to Evade Detection, Install Adware

Trend Micro Security has discovered a new form of malware that targets macOS but masquerades as a Windows executable file. This allows it to evade detection by Apple's own Gatekeeper security tool, since Windows EXE files are typically disregarded because of their inability to run. The malware, however, does execute these files using a software framework called Mono which is designed to enable cross-platform app development. The malware has been found in pirated versions of popular Mac apps that are being distributed as Torrents. Once installed, it contacts a remote server, reports your system information, and downloads whatever additional malware the author wants to send.

The threat, which does not have a specific name, has been confirmed by Trend Micro to have struck Macs in the US, UK, Australia, South Africa, and Europe. It is not believed to have been specifically targeted at any region or type of user.

Researchers have found this malware being distributed as several commonly pirated macOS apps including Little Snitch, a firewall; the Traktor Pro 2 DJ software; Paragon NTFS, which is widely used to access hard drives formatted for Windows; and Wondershare's Filmora video editing suite.

The malware cleverly includes the Mono framework within the downloaded package. Users would otherwise have to have Mono installed already, which would significantly reduce this malware's ability to infect Macs. Interestingly, the malicious EXE files will not run on Windows because they are specifically designed to infect Macs.

After being installed successfully, the malware sends identifying system information including the serial number of the infected Mac and its hardware and software configuration to a remote server. It is not clear what this information is used for. Trend Micro analysed a sample and found that it also downloaded and automatically executed three files including what appeared to be an installer for Adobe Flash but was actually adware. Thus, the malicious EXE file can be used to infiltrate other potentially more serious types of malware onto an infected PC including adware or ransomware.

The Mono framework is an implementation of Microsoft's .NET software development environment, and is developed and maintained by Microsoft subsidiary Xamarin. It allows Windows developers to map DLL file dependencies to alternatives in other host OS environments including macOS, Android, iOS, multiple Linux distributions, and even some embedded operating systems such as the ones used by popular game consoles.

Gatekeeper is Apple's attempt to prevent users from harming their machines by screening executable files for potential threats. It can also be set to prevent users from installing apps from anywhere other than its own App Store, commonly referred to as a “walled garden” approach to security. Gatekeeper typically checks an app publisher's code signatures and verify the integrity of downloaded files.

In 2015, security researchers discovered that the macOS Gatekeeper could be bypassed simply by using an already trusted file to load other files from arbitrary folders. Mac users (and all PC users) are advised to be very careful about where they download software from.