Hackers preserve trying to bag malicious Windows file onto MacOS


Suave trick would be designed to bypass Gatekeeper protections constructed into macOS.

Dan Goodin

A laptop monitor warns of an impending encounter with malware.

Malware pushers are experimenting with a novel capability to contaminate Mac customers that runs executable recordsdata that in most cases accomplish solely on Windows computers.

The files and folders found inside a DMG file that promised to install Little Snitch.

The recordsdata and folders stumbled on interior a DMG file that promised to set up Shrimp Snitch.

Pattern Micro

Researchers from antivirus provider Pattern Micro made that discovery after analyzing an app on hand on a Torrent region that promised to set up Shrimp Snitch, a firewall application for macOS. Stashed interior the DMG file became as soon as an EXE file that delivered a hidden payload. The researchers suspect the routine is designed to bypass Gatekeeper, a security feature constructed into macOS that requires apps to be code-signed sooner than they are time and as soon as more installed. EXE recordsdata don’t bear this verification, because Gatekeeper solely inspects native macOS recordsdata.

“We suspect that this explicit malware would be outdated as an evasion formula for other attack or an infection attempts to bypass some constructed-in safeguards equivalent to digital certification checks, because it is an unsupported binary executable in Mac programs by bag,” Pattern Micro researchers Don Ladores and Luis Magisa wrote. “We judge that the cybercriminals are composed discovering out the attain and alternatives from this malware bundled in apps and on hand in torrent web sites, and which capability truth we will give you the chance to continue investigating how cybercriminals can employ this recordsdata and routine.”

By default, EXE recordsdata won’t plod on a Mac. The booby-trapped Shrimp Snitch installer worked around this limitation by bundling the EXE file with a free framework is called Mono. Mono enables Windows executables to plod on MacOS, Android, and a diversity of alternative running programs. It also offered the DLL mapping and other toughen required for the hidden EXE to accomplish and set up the hidden payload. Interestingly, the researchers couldn’t bag the same EXE to plod on Windows.

The researchers wrote:

Within the meantime, running EXE on other platforms will also merely bear an even bigger impact on non-Windows programs equivalent to MacOS. In overall, a mono framework installed in the machine is required to compile or load executables and libraries. In this case, nonetheless, the bundling of the recordsdata with the mentioned framework becomes a workaround to bypass the programs given EXE is now not a identified binary executable by MacOS’ security ingredients. As for the native library variations between Windows and MacOS, mono framework supports DLL mapping to toughen Windows-solely dependencies to their MacOS counterparts.

The Shrimp Snitch installer the researchers analyzed collected a wealth of machine necessary factors relating to the contaminated computer, together with its outlandish ID, model name, and the apps installed. It then downloaded and installed diversified spyware apps, some of which had been disguised as legit versions of Shrimp Snitch and Adobe’s Flash Media Player.

The discovery underscores the cat-and-mouse sport that plays out nearly forever between hackers and builders. As soon as builders devise a brand original capability to present protection to customers, hackers bag a capability to bag around it. Developers then introduce a repair that continues to be in attach till hackers bag a brand original capability to skirt the safety.

In 2015, macOS security educated Patrick Wardle reported a

fall-dull clear-reduce capability for malware to bypass Gatekeeper

. The formula worked by bundling a signed executable with a non-signed executable. Apple fixed the bypass weak point after Wardle reported it. Company representatives didn’t at as soon as acknowledge to an e mail seeking commentary relating to the reported capability of EXE recordsdata to bypass Gatekeeper.


Leave a Reply