Winplyer is a MacOS malware that executes a Windows binary on the infected system using the Mono framework. This allows the execution of Microsoft .NET executables on the Mac operating system. The malware is propagating as different MacOS application such as “Little Snitch”, “Paragon NTFS” and more in torrent websites. Upon execution, the malware will collect and send information from the system such as ModelName, ProcessorDetails, SerialNumber and applications installed on the system on the “/Applicaiton” folder. Below we can see the content of one of the malicious files, that contains the Mono framework files, and the Windows binary files.

Source: Trend Micro


The malware will then download and execute additional files, mostly adware. It is worth mentioning that the malware only targets MacOS users as its windows binaries fail to execute on Windows machines.

Source: CheckPoint


Links:


Samples:
b1e8b8813ff9a156a6cd8b7ad2b0d0039ea31ede