In 2015, macOS Security Expert Patrick Wardle reported an almost shockingly simple method hackers could employ to get around the Mac Gatekeeper system, which is the first line of defense against malware. He simply bundled two executable files: One signed and one not signed. Apple promptly fixed this weakness when Wardle reported it, but the hackers did not stop looking for new ways to infect Mac systems.
Recently, researchers at Trend Micro discovered an app on a popular Torrent site that was promised to install a macOS program called Little Snitch, which is a firewall app. Lurking inside the package, however, was an EXE file that could deliver a hidden payload.
A spokesman at Trend had the following to say about the discovery:
“We suspect that this specific malware can be used as an evasion technique for other attack or infection attempts to bypass some built-in safeguards such as digital certification checks, since it is an unsupported binary executable in Mac systems by design. We think that the cyber-criminals are studying the development and opportunities from this malware bundled in apps and available in torrent sites, and therefore we will continue investigating how cyber-criminals can use this information and routine.”
Normally, a Windows executable file can’t and won’t run on a Mac. The hackers have worked around this by bundling the EXE with a free framework called Mono. Trend’s research team went onto say:
“Currently, running an EXE on other platforms may have a bigger impact on non-Windows systems such as MacOS. Normally, a Mono framework installed in the system is required to compile or load executables and libraries. In this case, however, the bundling of the files with the said framework becomes a workaround to bypass the systems given EXE is not a recognized binary executable by MacOS’ security features. As for the native library differences between Windows and MacOS, Mono framework supports DLL mapping to support Windows-only dependencies to their MacOS counterparts.”
Long story short, Mac users have a new potential threat to worry about. Stay vigilant.
Leave Your Comments