Go to listing page

This nasty Windows executable file targets Mac systems

This nasty Windows executable file targets Mac systems
  • The EXE file bypasses built-in security mechanisms in MacOS as well as evades signature checks and file verification to execute an installation.
  • It is also capable of downloading malicious applications such as adware and info-stealer trojans.

A new Windows executable file is making rounds in the Mac ecosystem. Malicious EXE files targeting Windows systems is a routine occurrence however, in this case, the target is MacOS systems.

This file, discovered by the security firm Trend Micro, overrides built-in security mechanisms to creep into Apple computers and install malicious applications such as adware, info-stealers, and other malware.

Hides inside the DMG file

Trend Micro reported that the file was available on various torrent websites and packaged in an installer of the iOS firewall app Little Snitch.

“When the downloaded.ZIP file is extracted, it contains a DMG file hosting the installer for Little Snitch. Inspecting the installer contents, we found the unusual presence of the EXE file bundled inside the app, verified to be a Windows executable responsible for the malicious payload,” the researchers explained in their blog.

Therefore, when the installer is run, the EXE file also gets executed in parallel, using the Mono framework which allows .NET applications to run on MacOS systems.

Snooping on system information and downloading malware

The malware then collects system information along with scanning various other applications installed on the system. All of this information is passed on to a C&C server managed by attackers.

Consequently, additional files are downloaded from the Internet which are adware and info-stealer malware. Installation is done through a virtual drive process by mounting the DMG files onto the system.

Interestingly, this EXE file does not run on Windows computers, meaning the file was specifically designed to target Mac systems. Trying to execute the file on Windows would display an error message.

Cyware Publisher