iPhone FaceTime bug.
In this recent incident, hackers could bypass macOS Mojave because of a bug in a developer API. Apple’s macOS is perceived to be far more secure than Windows or any other desktop operating system. Security researchers have warned that hackers are trying to trick the built-in Gatekeeper protection.
These hackers are trying to infect the Mac with a malware that normally executes only on Windows computers. Cybersecurity researchers from an antivirus provider firm have discovered that it is possible to sneak in an EXE file (meant to support Windows) through a hidden payload.
Researchers from Trend Micro analysed an app available on Torrent site that installed Little Snitch firewall application for macOS. The DMG file containing the firewall application also includes an EXE file that delivered a hidden payload. The event has helped in discovering a hidden technique that is potentially used as an evasive technique for other attacks or infections.
Trend Micro researchers Don Ladores and Luis Magisa wrote, “Currently, running EXE on other platforms may have a bigger impact on non-Windows systems such as MacOS. Normally, a mono framework installed in the system is required to compile or load executables and libraries. In this case, however, the bundling of the files with the said framework becomes a workaround to bypass the systems given EXE is not a recognised binary executable by MacOS’ security features. As for the native library differences between Windows and MacOS, mono framework supports DLL mapping to support Windows-only dependencies to their MacOS counterparts.”
By default, EXE files are not designed to support MacOS. This case was a booby-trapped Little Snitch installer that bypassed the limitation by bundling an EXE file with a framework known as Mono. The framework allows running Windows executable programs on various operating systems. The framework also provides DLL mapping and other support.
Since Gatekeeper security feature only verifies macOS supporting files, EXE files don’t undergo this verification. The researchers believe that this evasion technique may have been exploited before in other attacks or attempted attacks.