Security company Trend Micro has revealed a method hackers are using to bypass the macOS security feature Gatekeeper in order to deploy EXE files containing malware onto their victim’s computer. The discovery was made while analyzing Little Snitch, a firewall application that is readily accessible as a torrent. The researchers believe that hackers are still studying the malware and ways it can be used.
Mac users cannot install EXE files, which is the executable format used by Windows. If a macOS user attempts to install an EXE file, they’ll get an error in return. Hackers seem to have found a way around this problem — and specifically the Gatekeeper feature — by packing the EXE file within a DMG file, the latter of which is the format for applications on Macs.
Trend Micro researchers discovered one of these malware payloads in the wild, according to a new report from the company. The malicious file was able to get around Gatekeeper because it only checks and verifies native macOS files. The executable was found within the Little Snitch Setup.dmg installer, which was analyzed and found to contain the bundled EXE.
During their research, the security experts found “no specific attack pattern” associated with the malware, stating that most of the infections exist in the UK, Australia, Armenia, Luxembourg, South Africa, and the US. Because EXE files won’t run on macOS, the hackers bundled it with Mono, a free framework that enables Mac users to run Windows executables.
The malicious content collected a bunch of data about the infected system, including things like other apps installed and model name. Ultimately, the researchers report, this malware has been designed specifically to target macOS users — in fact, attempting to run the malware on Windows resulted in an error. Users are advised to avoid downloading software and other files from unverified sources, and to also run multiple layers of protection on their Mac, in order to protect themselves.