Apple updates XProtect to combat ‘Windows’ exploits on Mac machines
Apple has upgraded its XProtect security software to be able to detect Windows files which may be a threat to Mac users.
According to security researcher Patrick Wardle, the update will now detect Windows Portable Executable (.PE) files and binary segments.
XProtect is a signature-based system and is linked to the iPad and iPhone maker’s built-in macOS antivirus software Gatekeeper.
In order to protect and warn users of malicious files on their system, Gatekeeper uses a form of file quarantine similar to those found on Microsoft Windows machines.
If a suspicious file is present, its signature is checked against XProtect’s malware definition records.
XProtect is based on Yara rules and blacklists. Yara is an open-source tool developed by Google for rudimentary malware checks based on rules consisting of strings and boolean expressions. Malware families can be described through textual or binary patterns.
The Apple update, dated April 19, adds a definition for one item, MACOS.d1e06b8, which includes a signature for PE files. Wardle connected the signature to TrojanSpy.MacOS.Winplyer, which Trend Micro describes as an .EXE file designed to deploy on Mac machines.
While the .EXE format is more commonly associated with Windows, back in February, Trend Micro researchers found an interesting campaign which was making use of weaponized .EXE files bundled with a popular firewall app for Mac called Little Snitch.
When the .DMG Apple application file was extracted, the .EXE file was discovered, hidden in the app.
The main file would be able to launch the executable as the Mono framework was also included in the package. Mono is an open-source framework containing a C# compiler for the creation of cross-platform applications.
“The bundling of the said framework with the malicious files becomes a workaround to enable EXE files to run on Mac systems,” Trend Micro said. “As for the native library differences between Windows and MacOS, the mono framework supports DLL mapping to support Windows-only dependencies to their MacOS counterparts. Overall, this technique may be done to overcome a malicious user’s Objective-c coding limitations.”
The TrojanSpy.MacOS.Winplyer campaign made use of this cross-platform compatibility to deploy the malware on Mac for the purposes of information theft and adware infection.
While the malware may have been designed in an attempt to bypass Gatekeeper, there is no evidence that the Trojan is able to do so. Now that XProtect has been upgraded to detect the bypass attempt, this particular route for the Trojan to take to enter Mac machines has now also been closed.
Previous and related coverage