Hackers Find New Ways to Use .EXE File Against macOS to Launch Malware that Bypass Protection & Steal Data

Yes, What you hear is something mysterious that the .EXE file runs on macOS is totally new right. but this strange activity uncovered by security researchers that, an EXE files in the wild delivering a malicious payload on Mac.

It is not only launching the malware but the .exe file is capable of bypass the mac security mechanism such as Gatekeeper.

Basically, EXE files format is an official and dedicated windows file format that wont be able to run on Linux, macOS, but if it tries to run on it then both OS will throw the error message.

In this case, new .EXE file routine evades the Gatekeeper protection on Mac because it checks only native Mac files but it will not checking the EXE and bypasses the signature detection and verification.

This is new malware attack mostly learn from the countries such as
United Kingdom, Australia, Armenia, Luxembourg, South Africa and the United States.

Infection & Bhaviour on Mac

Researchers found “Little Snitch” An installer of popular firewall app
that can be downloaded from various torrent websites for Mac and windows .

Once extracted the Zip File. Some of the Zipped .NET compiled Windows executable sample which contains a .DMG file hosting the installer for Little Snitch.

Later analysing the installer contents, researchers found the very unusual
.EXE file inside of the MonoBundle that is eventually responsible for the malicious payload.

Mono Bundle turn your Mono application into a Mac bundle, and you can also get a Mac installer for your application.

According to Trend Micro, “When the installer is executed, the main file also launched the executable as it is enabled by the mono framework included in the bundle. This framework allows the execution of Microsoft .NET applications across platforms such as OSX. “

Once the .DMG files are ready then it popup the adware that posed as a legitimate flash player installer and also PUAs displayed when the file is run.

This specific malicious .EXE file was tired attempt to execute in the windows machine but it displays the error.

“The bundling of the files with the said framework becomes a workaround to bypass the systems given EXE is not a recognized binary executable by MacOS’ security features. As for the native library differences between Windows and MacOS, mono framework supports DLL mapping to support Windows-only dependencies to their MacOS counterparts.” Trend Micro Researchers said.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

Lazarus APT Group Attack Cryptocurrency Exchange using macOS Malware Under the Operation AppleJeus

Apple Released Security Update & Fixes for iOS FaceTime Zero-day Vulnerability

XMRig – New Cryptojacking Malware Attack on Apple Mac Devices


BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense for initial access. Qlik Sense is…

15 hours ago

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer malware, and its new variant was being marketed in…

17 hours ago

Hotel’s Booking.com Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was carried out, specifically targeting hotels and…

19 hours ago

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical vulnerability that threat actors could potentially…

19 hours ago

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious links within seemingly legitimate payment requests. …

2 days ago

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed that the North Korean hacker group…

2 days ago