Our advanced threat team at Blackpoint Cyber recently came across an interesting find by Trend Micro’s researchers when they noticed that popular torrents promising to deliver cracked versions of popular software actually contained malicious payloads.

This newly discovered campaign contained malicious malware designed to target macOS with the help of an executable .exe file, which is designed to only work on a Windows based operating system.

When .exe files are run on a macOS operating system, they typically result in an error message. However, this malware included files from the Mono.NET framework, which is a popular open source framework that allows developers to create cross-platform Microsoft .NET applications. Since the main macOS application is signed, the macOS Gatekeeper, which verifies if software is legitimate, believed the application was safe and allowed it to execute which in turn launched the malicious .exe file.

When the .exe file (seen above as Installer.exe) runs, it executes data-stealing malware and adware.

This infiltration and code execution method provides a new opportunity for hackers to target macOS. Although the current versions of this malware only steal data and install adware, the ability to execute arbitrary code by hiding it within a legitimate looking macOS application is sure to be leveraged for more malicious purposes.

This malware campaign has been spotted in the United States, United Kingdom, South Africa, Australia, and other countries.

The researchers first discovered this new technique in an application called Little Snitch, which is a popular macOS firewall tool and widely available from websites and torrent streams.

When the researchers started investigating other applications, they discovered other publicly available applications that appeared to be legitimate but were not. The following is a list of other .DMG files that contained the same malware:

• Little_Snitch_583_MAC_OS_X.zip
• LennarDigital_Sylenth1_VSTi_AU_v3_203_MAC_OSX.zip
• TORRENTINSTANT.COM+-+Traktor_Pro_2_for_MAC_v321.zip

• Sylenth1_v331_Purple_Skin__Sound_Radix_32Lives_v109.zip

The above zip files contain a .DMG file. When extracted from the zip file and opened, the .DMG file launches the malware which begins silently collecting various machine information such as:

• ModelName
• ModelIdentifier
• Processor Speed
• ProcessorDetails
• Memory
• BootROMVersion
• SMCVersion
• SerialNumber

Along with collecting system information, the malware also scans the infected machine for basic installed apps and sends the gathered information to a remote command and control server.

In addition, the malware downloads several files from the internet and saves them to the directory ~/Library/X2441139MAC/Temp/:

• hxxp://install.osxappdownload.com/download/mcwnet
• hxxp://reiteration-a.akamaihd.net/INSREZBHAZUIKGLAASDZFAHUYDWNBYTRWMFSOGZQNJYCAP/FlashPlayer.dmg
• hxxp://cdn.macapproduct.com/installer/macsearch.dmg

This new malware shows how hackers continue to innovate and develop new ways to achieve code execution. At Blackpoint, we believe in developing technological solutions and services that are malware agnostic and focus on tradecraft and techniques. To learn more, check out https://blackpointcyber.com/