Firewall app loads hidden payload

In 2015, macOS Security Expert Patrick Wardle reported almost shockingly simple method hackers could employ to get around the Mac Gatekeeper system, which is the first line of defense against malware. He simply bundled two executable files: One signed and one not signed. Apple promptly fixed this weakness when Wardle reported it, but the hackers did not stop looking for new ways to infect Mac systems.

Recently, researchers at Trend Micro discovered an app on a popular Torrent site that was promised to install a macOS program called Little Snitch, which is a firewall app.  Lurking inside the package, however, was an EXE file that could deliver a hidden payload.

Trend Micro had the following to say about the discovery

"We suspect that this specific malware can be used as an evasion technique for other attack or infection attempts to bypass some built-in safeguards such as digital certification checks since it is an unsupported binary executable in Mac systems by design. We think that the cyber-criminals are studying the development and opportunities from this malware bundled in apps and available in torrent sites, and therefore we will continue investigating how cyber-criminals can use this information and routine."

Normally, a Windows executable file can't and won't run on a Mac. The hackers have worked around this by bundling the EXE with a free framework called Mono.  Trend's research team went onto say:

"Currently, running an EXE on other platforms may have a bigger impact on non-Windows systems such as MacOS.  Normally, a Mono framework installed in the system is required to compile or load executables and libraries.  In this case, however, the bundling of the files with the said framework becomes a workaround to bypass the systems given EXE is not a recognized binary executable by MacOS' security features.  As for the native library differences between Windows and MacOS, Mono framework supports DLL mapping to support Windows-only dependencies to their MacOS counterparts."

Our perspective

Long story short, Mac users have a new potential threat to worry about.  Stay vigilant.


The author

Thanks for reading this short post. For more tips on thriving with small business technology, check out the other blog posts at DWPia Blogs. I am also available at dwpia on LinkedIn, at dwpia on Facebook, and @dwpia on Twitter.

Cybersecurity Expert, Small Business Technology Consultant, Managed Services Provider, Managed IT Support

Denis S Wilson

I am President and Principal Consultant for DWP Information Architects: specializing in managed IT support for smaller healthcare practices, clinics, insurance companies, and nonprofit companies in Ventura County and San Fernando Valley. And have created cost-effective IT solutions, for over 20 years, specializing in cybersecurity and regulatory compliance.

I am also a published author and speaker, working extensively with organizations that include: the State of California, the Federal Bureau of Investigation (FBI), the Small Business Administration (SBA), SCORE, Women's Business Centers, and Small Business Development Centers. As well as providing small business technology education programs through business and professional associations.

Contact me if you would like me to speak at your meeting.

Meanwhile, check out this report

Executive Report: 10 Hidden IT Risks That Might Threaten Your Business