Researchers at Trend Micros security labs have discovered .EXE files apparently capable of overriding macOS protection mechanisms such as Gatekeeper.
The issue is that .EXE is the executable file format that is used in Windows and indicates that they can only be used in the Micorosft operating system. According to Trend Micro, these malicious files are able to evade Gatekeeper because it only checks the native Mac files.
How the researchers explain, they found a sample through a popular Windows and Mac firewall app called "Little Snitch" that is available on various torrent sites.
Malware for Mac disguised as a fake app with a malicious load hidden inside an executable for Windows
When the user downloads the torrent, it contains a compressed .ZIP file, inside there is a .DMG (the executable format in macOS) that contains a fake installer for the Little Snitch app. When that installer runs, the main file delivers a hidden malicious load.
The installer then goes on to collect a large amount of system details, such as the unique identifier, model name, and the installed apps. In addition I also downloaded adware disguised as legitimate versions of Flash and Little Snitch.
Upon inspecting the package the investigators found the unusual presence of an .EXE file and verified that it was responsible for the malicious load. As it is an executable for Windows, it skips the verification of the signature of the Gatekeeper code that is only done in the native apps of Mac.
A .EXE by default can not be executed in macOS, however the Little Snitch malicious installer skips this limitation by packaging the .EXE with a framework known as Mono. Mono allows executables for Windows to run on macOS, Android and other systems.
However, some researchers point out that there really is not a Gatekeeper override problem, since the main binary of the app is standard and Gatekeeper will block it if it is not signed or has a revoked certificate. However, if the user allows its execution, then you can run Mono and the .EXE and anything else.
Trend Micro researchers believe that cybercriminals are still studying the development and opportunities of this type of malware, but suspect that it can be used as an evasion technique for other attack attempts in order to circumvent built-in security measures, such as digital certificate checks, in this case those of a binary not compatible with macOS by the design of the system.
Date update on 2019-02-15. Date published on 2019-02-15. Category: hackers Author: Oscar olg Fuente: genbetaNot everything in life is technology
