Apple updates XProtect to combat ‘Windows’ exploits on Mac machines

Updated: The latest version of XProtect is able to detect the signatures of particular Microsoft Windows files.
Written by Charlie Osborne, Contributing Writer

Apple has upgraded its XProtect security software to be able to detect Windows files which may be a threat to Mac users.

According to security researcher Patrick Wardle, the update will now detect Windows Portable Executable (.PE) files and binary segments.

XProtect is a signature-based system and is linked to the iPad and iPhone maker's built-in macOS antivirus software Gatekeeper

In order to protect and warn users of malicious files on their system, Gatekeeper uses a form of file quarantine similar to those found on Microsoft Windows machines.

If a suspicious file is present, its signature is checked against XProtect's malware definition records.

XProtect is based on Yara rules and blacklists. Yara is an open-source tool developed by Google for rudimentary malware checks based on rules consisting of strings and boolean expressions. Malware families can be described through textual or binary patterns.

The Apple update, dated April 19, adds a definition for one item, MACOS.d1e06b8, which includes a signature for PE files. Wardle connected the signature to TrojanSpy.MacOS.Winplyer, which Trend Micro describes as an .EXE file designed to deploy on Mac machines.

See also: Facebook asked to clamp down on cops creating fake accounts

While the .EXE format is more commonly associated with Windows, back in February, Trend Micro researchers found an interesting campaign which was making use of weaponized .EXE files bundled with a popular firewall app for Mac called Little Snitch. 

The developer of Little Snitch, Objective Development, says that Trend Micro's assertion is incorrect and the software is not an installer for Little Snitch; rather, it is malware that simply claims to be so. 

"We want to make clear that the software available from our website was never infected with such malware," the developers of the firewall app said. "We have very strict security policies in place which guarantee that only authorized and properly signed code is published on our website."

When the .DMG Apple application file was extracted, the .EXE file was discovered, hidden in the app.

The main file would be able to launch the executable as the Mono framework was also included in the package. Mono is an open-source framework containing a C# compiler for the creation of cross-platform applications.

TechRepublic: How businesses plan to protect themselves against cyberattacks

"The bundling of the said framework with the malicious files becomes a workaround to enable EXE files to run on Mac systems," Trend Micro said. "As for the native library differences between Windows and MacOS, the mono framework supports DLL mapping to support Windows-only dependencies to their MacOS counterparts. Overall, this technique may be done to overcome a malicious user's Objective-c coding limitations."

The TrojanSpy.MacOS.Winplyer campaign made use of this cross-platform compatibility to deploy the malware on Mac for the purposes of information theft and adware infection.

CNET: All-in-one home security systems should be much more popular

While the malware may have been designed in an attempt to bypass Gatekeeper, there is no evidence that the Trojan is able to do so. Now that XProtect has been upgraded to detect the bypass attempt, this particular route for the Trojan to take to enter Mac machines has now also been closed. 

Update 11.52 BST: Clarified that the version of Little Snitch being distributed is not the legitimate version available from the vendor's website, alongside the developer's comments.

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage

Editorial standards