Malicious Windows app can bypass macOS security to steal data

Researchers have discovered a malicious Windows application that can bypass Apple's macOS safeguards to collect a user's system information and data about other apps installed like Facebook or iTunes.

The malware, which is specifically targeting Mac users, delivers its payload to a user's machine through an .EXE file that overrides Mac's built-in protection mechanisms such as Gatekeeper, according to researchers at Trend Micro.

Once the payload is executed, the malware contains a stream of system information including the model name, serial number, and hardware information such as memory and processor details. It also scans installed apps, before sending this harvested data to the command and control server. These include apps such as App Store, FaceTime, and Notes.

"We suspect that this specific malware can be used as an evasion technique for other attack or infection attempts to bypass some built-in safeguards such as digital certification checks since it is an unsupported binary executable in Mac systems by design," said Trend Mico's Don Ladores and Luis Magisa.

"We think that the cybercriminals are still studying the development and opportunities from this malware bundled in apps and available in torrent sites, and therefore we will continue investigating how cybercriminals can use this information and routine.

"Users should avoid or refrain from downloading files, programs, and software from unverified sources and websites, and install a multi-layered protection for their individual and enterprise systems."

The .EXE file was found buried in an installer of a popular firewall app called Little Snitch, which can be sourced from a number of torrent sites. Infected users downloaded and extracted a .ZIP file which in turn contained a .DMG file which hosted the Little Snitch installer.

The researchers concluded that the .EXE file was a Windows executable responsible for delivering the malicious payload.

The malicious Little Snitch applications are also compiled with Mono framework, an open source iteration of Microsoft's .NET Framework for cross-platform .NET application development, to make them compatible with macOS. This means the .EXE is able to evade protection mechanisms such as Mac's Gatekeeper because the software only scans for native Mac files.

Running this malicious .EXE on Windows displays an error notification, Trend Micro's researchers added, indicating the malware is designed to target macOS users specifically.

Although there is no specific attack pattern, Trend Micro's telemetry data showed relatively high activity in a host of countries including the UK, US, Australia and South Africa.

Macs were once heralded as being 'virus-free', with cyber criminals far more likely to invest in mechanisms to target users on Windows machines. But in the last decade or so macOS has become a far bigger target, and particularly in recent years, with macOS malware soaring 270% in 2017 for instance.

According to a MalwareBytes report, four new malware threats were discovered in the first two months of 2018 alone, and the majority of these security threats are actually being unearthed by users rather than security researchers themselves.

Keumars Afifi-Sabet
Contributor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.