Apple's XProtect security software has been silently updated to include signatures that detect Windows PE files and Windows executables that can run on Macs by utilizing the Mono .NET framework.

XProtect is Apple's built in antivirus software that offers real time protection on Macs. In order to protect users, XProtect utilizes signatures built from Yara rules that target known threats to Mac users.

According to mac security expert Patrick Wardle, two new signatures were released on April 19th, 2019 that when used together can detect adware bundles that contain Windows executables that can run on macOS.

These two new signatures are called "PE", which detects Windows PE files, and "MACOS.d1e06b8", which is used to detected a specially crafted Windows executable that can run on Macs.

Yara Signature for MACOS.d1e06b8 (Source: patrick wardle)

XProtect will use the above rule to detect Windows executables that contain the following strings. Note, the strings below are based on the visible hex above, so may be cutoff.

//*ErborC () trackingXML AllInstal offer_parameter offer_id

These strings are associated with adware bundles that contain Windows executables that have been modified to run on Macs using the Mono C# framework.

Targeting Mac adware bundles

In February, we reported that malware was spotted that utilize a Mac installer to execute Windows executables using the Mono C# framework.

Mono is a cross-platform framework that allows C# programs to run on Windows, Macs, and Linux.

The discovered malware samples would extract a Windows executable named Installer.exe that utilizes the included Mono Mac libraries to run on Macs.

Mac Adware Bundle with Windows Executable

Once run, the adware bundles would contact remote servers to download "offers" to install. These offers could be unwanted browser extensions, adware, miners, and password stealing Trojans.

While these adware bundles are Windows executables, they would not actually be able to run on Windows. This is because they attempt to load the Mac Mono framework libraries, which are not available in Windows. Below you can see what happens when you attempt to run these executables in Windows.

Running on Windows

As languages like C# become cross-platform, being able to detect Windows PE files are important to protect users from malware that can now be easily ported to Macs utilizing a framework like Mono.