Posted on February 12, 2019 at 4:36 PM
A new report published by Trend Micro researchers suggests that hackers are attempting to find a way to infect Mac devices with Windows-designed executables. Researchers managed to discover this after analyzing an application that can be found on the Torrent website.
The app promises to install a MacOS firewall app called Little Snitch. However, within its DMG file, researchers uncovered a malicious executable. According to them, the campaign is probably designed with a goal of bypassing MacOS’ security feature, Gatekeeper.
Gatekeeper protects the system by requiring all apps to be code-signed prior to being installed. However, EXE files, such as the one found within Little Snitch do not require this verification. In other words, since the Mac system does not support binary executables, this attack can be used for bypassing established MacOS safeguards, including digital certification checks.
Researchers believe that hackers are still experimenting and studying the effects of malware after hiding it in various apps available on Torrent websites. Because of this, researchers aim to continue their own investigation of the new trend and discover ways in which cybercriminals may try to exploit the systems’ vulnerabilities.
How is the Windows file being executed on MacOS?
MacOS has seen a noticeable growth in online threats in recent years. This new method used by hackers is also particularly interesting as EXE files simply do not run on Mac devices. However, hackers managed to bypass this limitation as well, by grouping the file with a framework called Mono, which allows EXE files to run on a variety of operating systems, including Android, MacOS, and others.
Furthermore, the abuse of Mono also allowed hackers with DLL mapping and additional supporting features that made it possible for the malicious EXE file to run and install its payload. Another notable thing is the fact that this same EXE would not run on Windows systems when researchers attempted to run it.
After researchers allowed Little Snitch to run, it quickly collected a large number of details regarding the system. Information such as the name of the model, the unique ID, as well as all of the previously-installed apps was collected and stored. After that, Little Snitch attempted to download other apps, most of which were adware-infected. Researchers also noted that some of the apps were made to look like Adobe’s Flash Media Player, and even like the real version of Little Snitch.
MacOS continues to struggle with online threats
While MacOS is usually deemed safer than other operating systems, or at least it used to be, recent years have brought a number of new, complex threats to it, as well. For example, back in 2015, a security expert, Patrick Wardle, reported a method of bypassing Gatekeeper which was very simple. All that hackers needed to do is bundle a signed and non-signed executable.
Of course, Apple quickly resolved the issue, although the new discovery shows that there are other methods of infiltration that have yet to be identified. Meanwhile, the endless war between researchers and hackers continues. Whenever hackers find a vulnerability to exploit, researchers attempt to patch it up, which inspires hackers to find a new way to get around the security systems. For now, it appears that this “game” will never end and that there is no ultimate security. Because of this, it is important for Mac users to always remain vigilant and keep the online dangers in mind.