In the eternal arms race between malware creators and security vendors, a novel new tactic has emerged. Trend Micro has recently reported that Windows executables (.EXE files) are being created that target non-windows platforms such as MacOS. Because .EXE files are not supported as an executable on MacOS the built in Gatekeeper protection layer in MacOS ignores the file. However, the malicious .EXE is being delivered as part of a payload which also includes the Mono framework. Mono (https://www.mono-project.com) is a software platform that enables Windows .NET executables to run on Linux, MacOS and Docker based systems.
By including Mono in the malware payload, the Windows .EXE file is able to execute on the MacOS system. This technique could be further leveraged to deliver malware to any Mono supported platform while potentially avoiding malware detection systems which are naturally biased to look for files compatible with the local operating system.
The example detected by Trend Micro was bundled within a copy of the commercial Little Snitch MacOS firewall application uploaded to a file sharing website and made available for free download.
This development underlines the need for organisations to educate their users not to download applications from unauthorised websites and to invest in a multi-layered cyber-security regime which relies on more than the local detection systems operating on end user devices.