It then downloaded and installed various adware apps, some of which were disguised as legitimate versions of Little Snitch and Adobe’s Flash Media Player. The Little Snitch installer the researchers analyzed collected a wealth of system details about the infected computer, including its unique ID, model name, and the apps installed. As for the native library differences between Windows and MacOS, mono framework supports DLL mapping to support Windows-only dependencies to their MacOS counterparts. In this case, however, the bundling of the files with the said framework becomes a workaround to bypass the systems given EXE is not a recognized binary executable by MacOS’ security features. Normally, a mono framework installed in the system is required to compile or load executables and libraries. AdvertisementĬurrently, running EXE on other platforms may have a bigger impact on non-Windows systems such as MacOS. Interestingly, the researchers couldn’t get the same EXE to run on Windows. It also provided the DLL mapping and other support required for the hidden EXE to execute and install the hidden payload.
Mono allows Windows executables to run on MacOS, Android, and a variety of other operating systems. The booby-trapped Little Snitch installer worked around this limitation by bundling the EXE file with a free framework known as Mono. “We think that the cybercriminals are still studying the development and opportunities from this malware bundled in apps and available in torrent sites, and therefore we will continue investigating how cybercriminals can use this information and routine.”īy default, EXE files won’t run on a Mac. “We suspect that this specific malware can be used as an evasion technique for other attack or infection attempts to bypass some built-in safeguards such as digital certification checks, since it is an unsupported binary executable in Mac systems by design,” Trend Micro researchers Don Ladores and Luis Magisa wrote. EXE files don’t undergo this verification, because Gatekeeper only inspects native macOS files. The researchers suspect the routine is designed to bypass Gatekeeper, a security feature built into macOS that requires apps to be code-signed before they can be installed. Stashed inside the DMG file was an EXE file that delivered a hidden payload. Trend MicroResearchers from antivirus provider Trend Micro made that discovery after analyzing an app available on a Torrent site that promised to install Little Snitch, a firewall application for macOS.
0 kommentar(er)
