قالب وردپرس درنا توس
Home / Mac / Windows Malware runs on Mac, Bypass's Gatekeeper for Target Software Pirates

Windows Malware runs on Mac, Bypass's Gatekeeper for Target Software Pirates



  Windows Malware runs on Mac, Bypass's Gatekeeper of Target Software Pirates

If it wasn't obvious, piracy software is a risky business and again proved by a set of malicious drivers targeting macOS users with information thugs and adware, and compiled as Windows EXE binary files using the Mono open source framework.

Mono is designed to allow developers to create platforms .NET applications shared by the .NET Foundation, which can later be used on multiple platforms, from macOS, Windows, Android, most Linux distributions, BSD and Solaris, as well. on some game consoles like PlayStation, Xbox and Wii.

The malware ridden executables discovered by Trend Micro's Don Ladores and Luis Magisa are distributed via torrent sites and promise to deliver cracked versions of various applications:

  • Little_Snitch_583_MAC_OS_X.zip
  • Paragon_NTFS_for_Mac_OS_Sierra_Fully_Activated.zip
  • Wondershare_Fully_Activated.zip
  • Wondershare_Fully_Activated.zip
  • Wondershare_Filly_Activated.zip
  • Wondershare_Filly_Activated.zip
  • Wondershare_Filmora_924_Patched_Mac_OSX_X.zip
  • [1
    9659006] LennarDigital_Sylenth1_VSTi_AU_v3_203_MAC_OSX.zip
  • Sylenth1_v331_Purple_Skin__Sound_Radix_32Lives_v109.zip
  • TORRENTINSTANT.COM + – + Traktor_Pro_2_for_MAC_v321.zip

Mono-based binaries will launch unobstructed while Mono runtime available in the system and threat actors achieved their malware may run along with a copy of the Mono frame within the downloaded installers.

The installer within Little_Snitch_583_MAC_OS_X.zip (the one Trend Micro chose to analyze) looks like all other MacOS apps, but closer inspection, when looking within the application package s, researchers were able to find the malicious EXE files that will deliver "a malicious payload that overrides Mac's built-in protection mechanisms as Gatekeeper."

  Malicious installer
Malicious installer

The fact that running Windows executable files is not common on macOS (in fact, trying to do so, will only show an error), causes the malicious EXE files to bypass MacOS Gatekeeper Protection Mechanism that does not recognize them as a native binary and will not check the notarization status and developer ID signature.

"Although no specific attack pattern has been set, our telemetry showed the highest number of infections being in the UK, Australia, Armenia, Luxembourg, South Africa and the United States," says Trend Micro.

After being launched on the victim's Mac, malware automatically begins collecting system information (ie, ModelName, ModelIdentifier, ProcessorSpeed, ProcessorDetails, NumberofProcessors, NumberofCores, Memory, BootROMVersion, SMCVersion, SerialNumber, UUID.)

  Gathering system information [19659018] Collecting System Information </strong></figcaption></figure>
</div>
<p>  In the next step, it will also display all the apps installed on the Mac and will filter out all the information it has collected into its command and control (C & C) server. </p>
<p>  Although not gathering this information, the bad actors can later use it to generate statistics on a potential botnet if they ever decide to build one using the compromised M ACS. </p>
<p>  Then, it grabs the following files, stores them in ~ / Library / X2441139MAC / Temp /, mounts them as DMG images, and runs the binary found in: </p>
<div class=
  • hxxp: //install.osxappdownload.com / download / mcwnet
  • hxxp: //reiteration-a.akamaihd.net/INSREZBHAZUIKGLAASDZFAHUYDWNBYTRWMFSOGZQNJYCAP/FlashPlayer.dmg
  • hxxp: //cdn.macapproduct.com/installer/macsearch.dmg

InstallCapital pressed as payload [19659027] From the tests performed by BleepingComputer, the main load of the malicious execution presses a pay-per-installed adware package from the revenue business InstallCapital.

InstallCapital is a well-known adware package that is often used as part of Windows-based payloads to install many unwanted programs, including adware, unwanted extensions, miners, and even dropping some ransomware strains at times.

  InstallCapital package
InstallCapital package

While malware developers used an unorthodox approach to delivering Windows-based payload components such as InstallCapital, their malicious EXE binary will not run on Windows systems because it looks special The Mac Xamarin libraries when they are started, and it will just throw an untreated exception before suddenly ending.

  Launch Error on Windows
Windows Start Error

Trend Micro Research Group concludes that "this specific malware may be used as a scam for other attacks or infection attempting to bypass any embedded security rules that digital certification control says NCE is one not -supported binary executable in Mac systems by design. "

Although this malware across the platform only pushes adware and information dusters to Mac users who risk downloading cracked software, the payload in the future may change at any time To release more dangerous malware families such as ransomware or wipers.

Indicators for compromises such as SHA256 hashes for executables upgraded by Trend Micro on torrent sites and C & C server addresses are provided at the end of the analysis. [19659037]
Source link