Thanks to the good folks at Trend Micro, we now know that there’s a new form of malware in town. Actually, it’s a new type of an existing MacOS malware that enters stealth mode by camouflaging itself as a Windows file so that it can infiltrate devices without detection.
The malware is unable to execute on a Windows machine because it’s carried by a familiar .EXE file that’ easy for Windows to rebuff.
The security experts behind the discovery say they found the malware hiding inside the Little Snitch installer which is a well-known firewall, and network monitor. The researchers downloaded the .ZIP files from different torrent websites.
We all know that trying to run an .EXE file on a Linux or Mac processor is a futile exercise because it will only lead to an error notification. But, the malware was able to override the built-in security measures responsible for protecting the device by hiding as an .EXE file, which doesn’t usually get checked by Gatekeeper and other Mac security mechanisms.
When experts examined the inside of the installer, they found an .EXE file that was definitely not supposed to be there, and inside the file was the malware. The malware is executed only when a user opens the installer. Before then it stays bundled with the app. Once executed, the mono bundle activates the mono framework which is also contained in the bundle. Once open, this framework triggers Microsoft .NET applications through OSX and other similar platforms.
How It Works?
The malware starts by accumulating all the necessary system information, including NumberofPorcessors, ProcessorDetails, ProcessorSpeed, ModelIdentifier and ModelName, all of which it sends to the C&C.
From there, the malware starts downloading potentially unwanted applications (PUAs) like a compromised copy of Little Snitch and other unwanted apps that are hidden behind Adobe Flash and “similar” programs.
During the attack reported by the Trend Micro experts, the hackers used .EXE files that were ordinarily incompatible with MacOS. That’s why Apple’s malware systems were unable to detect them in the first place. This is also the reason that renders this type of malware ineffective on Windows machines because the operating system identifies it immediately and returns an error message that disables it.
So far, the malware has mostly attacked in countries such as the United States, Luxembourg, South Africa, Australia, the United Kingdom, and Armenia.
According to security experts, the discovery was made as part of a malware study conducted by authors that are working tirelessly to find new ways of distributing the malware. Experts say it’s possible that the attackers are using this malware as a Trojan horse for other more dangerous attacks. They’re also using it to hide from built-in safeguards by disguising it as familiar software.
There’s also a strong possibility that the attackers are using the malware to research other ways of infiltrating Mac systems by bypassing its systems as an unsupported binary. The fact that it’s available in torrent websites makes it difficult (but not impossible) to investigate its possible application by cybercriminals.