An EXE infection for your Mac

Everyone knows that EXE files can be dangerous for computers running Windows. But it turns out that EXE files can infect macOS too.

The idea that macOS is invulnerable is a myth, as we’ve said many times before. Recently, cybercriminals found yet another way to tiptoe past its built-in defense mechanism. They collected data about the infected system and fed it into adware using files with the EXE extension, which usually runs only in Windows. An EXE file infecting Mac users? Strange, but the method does work.

A tale of infection: A pirated firewall bundled with EXE malware

The irony is that the malware was added not just anywhere, but to a pirated copy of a security product — the Little Snitch firewall. Users who tried to save on paying for a license predictably ended up with a headache instead.

The infected version of the firewall was distributed using torrents. Victims downloaded to their computers a ZIP archive with a disk image in DMG format — so far, normal. But a close look at the contents of this DMG file reveals the presence of the MonoBundle folder with a certain installer.exe inside. This is not a typical macOS object; EXE files usually just don’t run on Mac machines.

Gatekeeper looks the other way

In fact, Windows executables are so unsupported in macOS that Gatekeeper (a security feature of macOS that prevents suspicious programs from running) simply ignores EXE files. This is quite understandable: It makes little sense to overload the system by scanning obviously inactive files, especially with one of Apple’s selling points being operating speed.

That would be fine were it not for one “but”: Many programs are available for Windows, and sometimes Mac users need some of them, so various solutions exist for running files that are not native to the platform. One of them is the Mono framework, a free system that lets users run Windows applications in other operating systems, including macOS.

As you can probably guess, the framework is what the cybercriminals exploited. A framework usually needs to be installed on the computer separately, but these cybercrooks came up with a method of packaging it with the malware (remember the sinister EXE in the MonoBundle folder?). As a result, the malware runs successfully even on Macs whose owners use only native programs.

A tale of infection: Spyware and adware

After installation, the malware first collects information about the infected system. Cybercriminal interest is focused on the name of the model, device IDs, processor specifications, RAM, and many other things. The malware also harvests and sends information about installed applications to its C&C server.

Simultaneously, it downloads several more images to the infected computer with installers masked as Adobe Flash Media Player, or Little Snitch. They are in fact run-of-the-mill adware tools that pester you with banners.

How to stay protected

The moral of the story is simple: In a world of information technologies, no systems are totally secure. And built-in protection features cannot be blindly trusted, even if they are considered reliable. Here are some tips on how to safeguard your computer against savvy malware.

  • Do not install pirated versions of applications. If you really need a program, and really, really aren’t prepared to pay for it, first try to find a free alternative.
  • Always download programs from official sources: the App Store or developer websites.
  • If you decide to download an application from an unofficial source, for example a torrent tracker as mentioned above, be sure to check what actually gets downloaded. Be suspicious of any “extra” files in the installation package.
  • Use a reliable antivirus solution that scans all dubious-looking files — bar none.