If it wasn't obvious, piracy software is a risky business and again proved by a set of malicious drivers targeting macOS users with information thugs and adware, and compiled as Windows EXE binary files using the Mono open source framework.
Mono is designed to allow developers to create platforms .NET applications shared by the .NET Foundation, which can later be used on multiple platforms, from macOS, Windows, Android, most Linux distributions, BSD and Solaris, as well. on some game consoles like PlayStation, Xbox and Wii.
The malware ridden executables discovered by Trend Micro's Don Ladores and Luis Magisa are distributed via torrent sites and promise to deliver cracked versions of various applications:
- TORRENTINSTANT.COM + – + Traktor_Pro_2_for_MAC_v321.zip
Mono-based binaries will launch unobstructed while Mono runtime available in the system and threat actors achieved their malware may run along with a copy of the Mono frame within the downloaded installers.
The installer within Little_Snitch_583_MAC_OS_X.zip (the one Trend Micro chose to analyze) looks like all other MacOS apps, but closer inspection, when looking within the application package s, researchers were able to find the malicious EXE files that will deliver "a malicious payload that overrides Mac's built-in protection mechanisms as Gatekeeper."
The fact that running Windows executable files is not common on macOS (in fact, trying to do so, will only show an error), causes the malicious EXE files to bypass MacOS Gatekeeper Protection Mechanism that does not recognize them as a native binary and will not check the notarization status and developer ID signature.
"Although no specific attack pattern has been set, our telemetry showed the highest number of infections being in the UK, Australia, Armenia, Luxembourg, South Africa and the United States," says Trend Micro.
After being launched on the victim's Mac, malware automatically begins collecting system information (ie, ModelName, ModelIdentifier, ProcessorSpeed, ProcessorDetails, NumberofProcessors, NumberofCores, Memory, BootROMVersion, SMCVersion, SerialNumber, UUID.)
InstallCapital pressed as payload  From the tests performed by BleepingComputer, the main load of the malicious execution presses a pay-per-installed adware package from the revenue business InstallCapital.
InstallCapital is a well-known adware package that is often used as part of Windows-based payloads to install many unwanted programs, including adware, unwanted extensions, miners, and even dropping some ransomware strains at times.
While malware developers used an unorthodox approach to delivering Windows-based payload components such as InstallCapital, their malicious EXE binary will not run on Windows systems because it looks special The Mac Xamarin libraries when they are started, and it will just throw an untreated exception before suddenly ending.
Trend Micro Research Group concludes that "this specific malware may be used as a scam for other attacks or infection attempting to bypass any embedded security rules that digital certification control says NCE is one not -supported binary executable in Mac systems by design. "
Although this malware across the platform only pushes adware and information dusters to Mac users who risk downloading cracked software, the payload in the future may change at any time To release more dangerous malware families such as ransomware or wipers.
Indicators for compromises such as SHA256 hashes for executables upgraded by Trend Micro on torrent sites and C & C server addresses are provided at the end of the analysis.