Malware for macOS Uses Windows EXE Files to Evade Detection, Install Adware

Malware for macOS Uses Windows EXE Files to Evade Detection, Install Adware
  • macOS does not check Windows EXE files which usually cannot be executed
  • The malware uses the Mono cross-platform framework to run EXE files
  • Adware is downloaded and installed automatically when the EXE is run

Trend Micro Security has discovered a new form of malware that targets macOS but masquerades as a Windows executable file. This allows it to evade detection by Apple's own Gatekeeper security tool, since Windows EXE files are typically disregarded because of their inability to run. The malware, however, does execute these files using a software framework called Mono which is designed to enable cross-platform app development. The malware has been found in pirated versions of popular Mac apps that are being distributed as Torrents. Once installed, it contacts a remote server, reports your system information, and downloads whatever additional malware the author wants to send.

The threat, which does not have a specific name, has been confirmed by Trend Micro to have struck Macs in the US, UK, Australia, South Africa, and Europe. It is not believed to have been specifically targeted at any region or type of user.

Researchers have found this malware being distributed as several commonly pirated macOS apps including Little Snitch, a firewall; the Traktor Pro 2 DJ software; Paragon NTFS, which is widely used to access hard drives formatted for Windows; and Wondershare's Filmora video editing suite.

The malware cleverly includes the Mono framework within the downloaded package. Users would otherwise have to have Mono installed already, which would significantly reduce this malware's ability to infect Macs. Interestingly, the malicious EXE files will not run on Windows because they are specifically designed to infect Macs.

After being installed successfully, the malware sends identifying system information including the serial number of the infected Mac and its hardware and software configuration to a remote server. It is not clear what this information is used for. Trend Micro analysed a sample and found that it also downloaded and automatically executed three files including what appeared to be an installer for Adobe Flash but was actually adware. Thus, the malicious EXE file can be used to infiltrate other potentially more serious types of malware onto an infected PC including adware or ransomware.

The Mono framework is an implementation of Microsoft's .NET software development environment, and is developed and maintained by Microsoft subsidiary Xamarin. It allows Windows developers to map DLL file dependencies to alternatives in other host OS environments including macOS, Android, iOS, multiple Linux distributions, and even some embedded operating systems such as the ones used by popular game consoles.

Gatekeeper is Apple's attempt to prevent users from harming their machines by screening executable files for potential threats. It can also be set to prevent users from installing apps from anywhere other than its own App Store, commonly referred to as a “walled garden” approach to security. Gatekeeper typically checks an app publisher's code signatures and verify the integrity of downloaded files.

In 2015, security researchers discovered that the macOS Gatekeeper could be bypassed simply by using an already trusted file to load other files from arbitrary folders. Mac users (and all PC users) are advised to be very careful about where they download software from.


For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Jamshed Avari has been working in tech journalism as a writer, editor and reviewer for over 13 years. He has reviewed hundreds of products ranging from smartphones and tablets to PC components and accessories, and has also written guides, feature articles, news and analyses. Going beyond simple ratings and specifications, he digs deep into how emerging products and services affect actual users, and what marks they leave on our cultural landscape. He's happiest when something new comes ...More

Apple, Google Called On to Stop Offering Saudi App That Tracks Women
Samsung Galaxy S10e Name Confirmed Officially Ahead of February 20 Launch

Related Stories

Share on Facebook Tweet Snapchat Share Reddit Comment




© Copyright Red Pixels Ventures Limited 2021. All rights reserved.
Listen to the latest songs, only on