Windows App Runs on Mac, Downloads Info Stealer and Adware

By Don Ladores and Luis Magisa

EXE is the official executable file format used for Windows to signify that they only run on Windows platforms, and to serve as a security feature. By default, attempting to run an EXE file on a Mac or Linux OS will only show an error notification.

However, we found EXE files in the wild delivering a malicious payload that overrides Mac’s built-in protection mechanisms such as Gatekeeper. This routine evades Gatekeeper because EXE is not checked by this software, bypassing the code signature check and verification since the technology only checks native Mac files. While no specific attack pattern is seen, our telemetry showed the highest numbers for infections to be in the United Kingdom, Australia, Armenia, Luxembourg, South Africa and the United States.

Behavior

The sample we examined is an installer of a popular firewall app for Mac and Windows called Little Snitch, available for download from various torrent websites. Names of the .NET compiled Windows executable are as follows:

  • Paragon_NTFS_for_Mac_OS_Sierra_Fully_Activated.zip
  • Wondershare_Filmora_924_Patched_Mac_OSX_X.zip
  • LennarDigital_Sylenth1_VSTi_AU_v3_203_MAC_OSX.zip
  • Sylenth1_v331_Purple_Skin__Sound_Radix_32Lives_v109.zip
  • TORRENTINSTANT.COM+-+Traktor_Pro_2_for_MAC_v321.zip
  • Little_Snitch_583_MAC_OS_X.zip

When the downloaded .ZIP file is extracted, it contains a .DMG file hosting the installer for Little Snitch.

Figure 1. Sample of file contained from extracted Windows executable.

Figure 2. Installer of Little Snitch contained in the .DMG sample we analyzed.

Inspecting the installer contents, we found the unusual presence of the .EXE file bundled inside the app, verified to be a Windows executable responsible for the malicious payload.

Figure 3. Suspicious .EXE bundled for Mac app installer.

When the installer is executed, the main file also launched the executable as it is enabled by the mono framework included in the bundle. This framework allows the execution of Microsoft .NET applications across platforms such as OSX.

Once run, the malware collects the following system information:

  • ModelName
  • ModelIdentifier
  • ProcessorSpeed
  • ProcessorDetails
  • NumberofProcessors
  • NumberofCores
  • Memory
  • BootROMVersion
  • SMCVersion
  • SerialNumber
  • UUID

Under the /Application directory, the malware also scans for all the basic and installed apps and sends all the information to the C&C server:

  • App Store.app
  • Automator.app
  • Calculator.app
  • Calendar.app
  • Chess.app
  • Contacts.app
  • DVD Player.app
  • Dashboard.app
  • FaceTime.app
  • Font Book.app
  • Image Capture.app
  • iTunes.app
  • Launchpad.app
  • Mail.app
  • Maps.app
  • Messages.app
  • Mission Control.app
  • Notes.app
  • Photo Booth.app
  • Photos.app
  • Preview.app
  • QuickTime Player.app
  • Reminders.app
  • Safari.app
  • Siri.app
  • Stickies.app
  • System Preferences.app
  • TextEdit.app
  • Time Machine.app
  • UtilitiesiBooks.app

It downloads the following files from the Internet and saves it to the directory ~/Library/X2441139MAC/Temp/:

  • hxxp://install.osxappdownload.com/download/mcwnet
  • hxxp://reiteration-a.akamaihd.net/INSREZBHAZUIKGLAASDZFAHUYDWNBYTRWMFSOGZQNJYCAP/FlashPlayer.dmg
  • hxxp://cdn.macapproduct.com/installer/macsearch.dmg

Figure 4. Downloaded files saved in the directory.

These .DMG files are mounted and executed as soon as they are ready, as well as displaying a PUA during execution.

Figure 5. One of the adwares downloaded posing as a popular app.

Figure 6. One of the PUAs displayed when the file is run.

This malware runs specifically to target Mac users. Attempting to run the sample in Windows displays an error notification.

Figure 7. Error notification when installer is executed in Windows.

Currently, running EXE on other platforms may have a bigger impact on non-Windows systems such as MacOS. Normally, a mono framework installed in the system is required to compile or load executables and libraries. In this case, however, the bundling of the files with the said framework becomes a workaround to bypass the systems given EXE is not a recognized binary executable by MacOS’ security features. As for the native library differences between Windows and MacOS, mono framework supports DLL mapping to support Windows-only dependencies to their MacOS counterparts.

Conclusion

We suspect that this specific malware can be used as an evasion technique for other attack or infection attempts to bypass some built-in safeguards such as digital certification checks since it is an unsupported binary executable in Mac systems by design. We think that the cybercriminals are still studying the development and opportunities from this malware bundled in apps and available in torrent sites, and therefore we will continue investigating how cybercriminals can use this information and routine. Users should avoid or refrain from downloading files, programs, and software from unverified sources and websites, and install a multi-layered protection for their individual and enterprise systems.

Trend Micro Solutions

The following Trend Micro products detect and block this threat:

Trend Micro Antivirus for Mac

Trend Micro Smart Protection Suites

Indicators of Compromise

Main Executables

File

SHA256

Detection

setup.dmg

c87d858c476f8fa9ac5b5f68c48dff8efe3cee4d24ab11aebeec7066b55cbc53TrojanSpy.MacOS.Winplyer.A

Installer.exe

932d6adbc6a2d8aa5ead5f7206511789276e24c37100283926bd2ce61e840045TrojanSpy.Win32.Winplyer.A

OSX64_MACSEARCH.MSGL517

58cba382d3e923e450321704eb9b09f4a6be008189a30c37eca8ed42f2fa77afAdware.MacOS.MacSearch.A

chs2

3cbb3e61bf74726ec4c0d2b972dd063ff126b86d930f90f48f1308736cf4db3eAdware.MacOS.GENIEO.AB

Installer (2)

e13c9ab5060061ad2e693f34279c1b1390e6977a404041178025373a7c7ed08aAdware.MacOS.GENIEO.AB

macsearch

b31bf0da3ad7cbd92ec3e7cfe6501bea2508c3915827a70b27e9b47ffa89c52eAdware.MacOS.MacSearch.B
C&C server
hxxp://54.164.144.252:10000/loadPE/getOffers.php

The post Windows App Runs on Mac, Downloads Info Stealer and Adware appeared first on .