Security researchers have discovered many Windows EXE files that use malicious payloads to infect users MacOS with infostealers and adware.
Η Trend Micro found an adware specimen hidden in an installation program for the Little Snitch Firewall app for Windows and Mac, which is available for download from various torrent sites. The sample was able to bypass Mac's Gatekeeper, as this built-in protection mechanism does not perform code signature checks, nor does it otherwise verify EXE files on computers running MacOS.
Inside a ZIP file, downloaded from torrent sites, there is a DMG file that hosts the Little Snitch installer. This installer hides an EXE file that loads an infostealer into the computer. The malware then collects basic system information, such as Memory, BootROMVersion, and SMCVersion, and scans the application directory for installed applications, such as the App Store, FaceTime, and Mail. After completing these steps, the malware sends all its findings to its command-and-control (C&C) server.
In addition, the executable file is able to download many other files from the internet. These files, in turn, download adware and other potentially unwanted applications.
Bridging Windows and MacOS with malware
These files are not the only case of a digital threat between Windows and MacOS. In May of 2017, for example, Fox-IT has identified a Mac OS X version of Snake malware, which is traditionally targeted at the Windows platform. Less than a year later, security researcher Patrick Wardle of Objective-See unveiled CrossRat, a flexible threat capable of targeting Windows, MacOS, and Linux machines.
In some cases, researchers have even noticed attack campaigns that distribute separate threats targeting Windows and Mac computers. Microsoft security researchers have been faced with such a case of 2011, which included Olyx backdoor and other Windows malware.
How to protect yourself from malicious .exe files
Security professionals can help protect you from EXE files by creating security policies that restrict the types of sites from which users can download apps. They can apply this policy to a wider application approval framework, through which security teams follow a logical sequence for downloading / reviewing applications and ensuring unification of suppliers. At the same time, security professionals should implement user activity analyzes in a long-term data repository to adequately protect corporate data from digital threats such as infostealers.