Yes, you heard me right — a .exe malware on macOS.
Security researchers at antivirus firm Trend Micro have discovered a novel way hackers are using in the wild to bypass Apple's macOS security protection and infect Mac computers by deploying malicious EXE files that normally run only on Windows computers.
Researchers found several samples of malicious macOS application (.dmg) masquerading as installers for popular software on a torrent site that includes an EXE application compiled with Mono framework to make it compatible with macOS.
Mono is an open source implementation of Microsoft's .NET Framework that allows developers to create cross-platform .NET applications, which work across all supported platforms, including Linux, Windows and Mac OS X.
Usually, running any Windows executable results in error on macOS systems, and its built-in protection mechanisms such as Gatekeeper also skips scanning .exe files for any malicious code.
"This routine evades Gatekeeper because EXE is not checked by this software, bypassing the code signature check and verification since the technology only checks native Mac files," Trend Micro said in a blog post published Monday.
The fake installer analyzed by the researchers promised to install the Little Snitch firewall application, but also comes bundled with mono-compiled hidden payload, designed to collect and send system information about the targeted Mac computer to a remote command-and-control server controlled by the attackers.
During their analysis, the researchers found "no specific attack pattern" associated with the malware, but their telemetry showed that the highest numbers for infections existed in the in the United Kingdom, Australia, Armenia, Luxembourg, South Africa, and the United States.
Interestingly, the security researchers could not get the same malicious EXE file to run on Windows—attempting to run the file on Windows resulted in an error, which means that this malware has been designed to target macOS users specifically.
"Currently, running EXE on other platforms may have a bigger impact on non-Windows systems such as MacOS. Normally, a mono framework installed in the system is required to compile or load executables and libraries," researchers explained.The best way to protect yourself from being a victim to such malware is to avoid downloading apps, tools, and other files on your computers from torrent websites or any untrusted source.
"In this case, however, the bundling of the files with the said framework becomes a workaround to bypass the systems given EXE is not a recognized binary executable by MacOS' security features. As for the native library differences between Windows and MacOS, the mono framework supports DLL mapping to support Windows-only dependencies to their MacOS counterparts."