It is commonly thought that Mac and Windows are two separate universes, that what affects one cannot affect the other. This would not be the case, not always, at least not according to what some researchers have discovered. These would, in fact, discover a new way used by hackers to bypass the security measures of Mac operating systems: use a corrupt file that normally could only be opened with Windows.
The discovery of this particular new trick occurred almost by accident. The researchers found several examples of infected macOS applications (.dmg) that were passed for popular software installations on a torrent site that includes an EXE application compiled with Mono framework, so that it can be compatible with Mac operating systems.
Mono is an open source implementation of Microsoft’s .NET framework, allowing developers to create cross-platform .NET applications: these particular applications allow files to be supported on all other systems, including Linux , Windows and Mac OS X. Usually, when you try to open a Windows EXE file on Mac operating systems, it does nothing but give the error and the system protection mechanisms work almost like an outrider, checking the file for an infected code. Using Mono, on the other hand, allows hackers to remedy this detail, thus reaching Mac.
How an Infected Windows file can also affect Mac?
According to the researchers, this particular trick succeeds in overcoming the macOS security mechanisms, since the EXE file is not controlled by the Gatekeeper software, which allows it to bypass the verification of the code signature, as it involves a type of technology found only in Mac files.
This fake installer inserts a firewall application of the Little Snitch type, that is a type of firewall that controls the access of every application or system. It is essentially made to protect the privacy of the system by limiting external traffic, but not to protect it in case of attacks. Little Snitch appears hidden in a compact group, made to gather information on the Mac operating system to be attached and send it to a server controlled remotely by hackers.
Once installed, the EXE malware downloads other apps with adware, and prompts the user to use them. Some of them even look original, featuring the brand name Adobe Flash Media Player and Little Snitch.
Malware EXE from Windows to Mac: some thoughts
In the course of their research, the researchers were unable to find a specific pattern to associate with the malware, however they managed to narrow the field down to the geographical areas where this particular trick is used: in particular it turned out that the most affected countries are Kingdom United Kingdom, Australia, Armenia, Luxembourg, South Africa, and the United States.
An interesting idea is the fact that the same file used to infect Mac operating systems, although made for Windows, could not be opened on the latter. Whenever the researchers tried, the result was always an error. This detail is indicative, as it means that the malware was created specifically to target macOS.
“At the moment, opening the EXE malware on other systems may have a greater effect on non-Windows operating systems. Usually, to compile the file and run it, you need a Mono framework”, the researchers explained.
“However, in this case, the fact that the files were mixed with the framework made things more complicated, allowing the EXE malware to bypass security measures, as these do not sell recognized as binary codes that macOS can perform.”
According to the specialists, the reason why the EXE file can be run on Mac but not on Windows is to be found in the fact that the framework used only supports DLL mapping of Windows systems.
The only way to protect yourself from this new hacker technique of entering our systems is to avoid downloading apps, tools, and other files from torrent sites whose source is unknown. Don’t forget to have a look at the review apps before downloading any apps.
The precautions to be taken
Companies, in general, should always check their employees and the applications that are downloaded should always be approved by company guidelines.
Employees are one of the main sources of IT dangers for companies and the resulting risks make up the component of human risk. In this regard, in order to minimize this risk arising from employees, it is necessary to train them in relation to the risks present.
An example is phishing training.
In addition to these preventive security activities, it is necessary for companies to establish a multi-layer security framework. In fact, in addition to providing training aimed at minimizing human risk, preventive safety must include periodic technological risk management activities through Vulnerability Assessment and Network Scan activities .