Apple has reportedly updated the macOS’ built-in antivirus software XProtect to include signatures that detect Windows PE files and Windows executables that can run on Macs by utilising the Mono .NET framework. Citing mac security expert Patrick Wardle, Bleeping Computer reported that two new signatures were released on April 19 that, when used together, can detect adware bundles that contain Windows executables that can run on macOS.
“These two new signatures are called ‘PE’, which detects Windows PE files, and ‘MACOS.d1e06b8’, which is used to detected a specially crafted Windows executable that can run on Macs,” the tech news platform reported. Initially, Japan-based cybersecurity firm Trend Micro found .exe files (executable files) delivering malicious payload on macOS. The highest number of infections were seen in the UK, Australia, Armenia, Luxembourg, South Africa, and the US.
The malware utilizes a Mac installer to execute Windows executables using the Mono .NET - a cross-platform framework that allows C# programmes to run on Windows, Macs, and Linux. These malware samples would extract a Windows executable file named Installer.exe that, once run, would contact remote servers to download “offers” to install. “These offers could be unwanted browser extensions, adware, miners, and password stealing Trojans,” Bleeping Computer said.
What’s interesting is that although these files are Windows executables, they won’t be able to run on Windows. The reason for this is that these adware bundles attempt to load the Mac Mono framework libraries, which are not available in Windows.
This is not the first time that a vulnerability has been found in macOS. In February, an 18-year-old German, Linus Henze, discovered a vulnerability that used to leave users’ saved passwords exposed to hackers. This reportedly included passwords saved in the iCloud Keychain or even passwords to banking websites, social networking websites, email websites and streaming services like Netflix, Amazon and more.