Story

The raise of Multi-platform malware

The malware factory still evolving, every day security firms detect new cyber threats that show new sophisticated techniques to avoid protection systems, this is a war that law enforcement fight against cyber criminals.

Internet has a new web exploit produced by crime industry, its particularity is that in the deployment phase it is able to detect the OS of the host and choose the appropriate malware to launch to infect it.

Windows, Linux or Mac OS, no one is safe, that is the result of the discovery made by the experts of the security firm F-Secure that have isolated what is considered a multi-platform backdoor on Colombian Transport site.

Multi-platform attacks are rarer, they represent a considerable evolution to take into account.  Of course the multi platform malware represent a great evolution for the cyber crime because they give the opportunity to an attacker to infect the major number of machines independently from

The mechanism is simple, using a Jar the backdoor is able to identify the OS and after download the right files to infect the machine.

Once identified the type of operating system that is running, the Java class file will download the appropriate malware, with the purpose to open a backdoor to allow remote access to your machine.

Following is reported the source code of the applet used to distinguish the running OS on victim pc.

Of course the attack must be completed with a sort of social engineering, in order to accept the malicious file the internet users are circumvented by proposing to run a benign singned applet.

 

The malicious files developed for each type of OS connect to the same Command & Control server that F-Secure has localized at IP address 186.87.69.249.

The F-Secure blog post reported also the following info to qualify the malware:

Trojan-Downloader:Java/GetShell.A (sha1: 4a52bb43ff4ae19816e1b97453835da3565387b7)
Backdoor:OSX/GetShell.A (sha1: b05b11bc8520e73a9d62a3dc1d5854d3b4a52cef)
Backdoor:Linux/GetShell.A (sha1: 359a996b841bc02d339279d29112fe980637bf88)
Backdoor:W32/GetShell.A (sha1: 26fcc7d3106ab231ba0ed2cba34b7611dcf5fc0a)

The MacOSX sample is a PowerPC binary, as such, executing the file in an Intel-based platform will require Rosetta.

We must specify that this isn’t the first multi-platform malware detected, in 2010 was detected for example the Boonana malware which also used a malicious Java applet to spread itself on multiple machine.

Malware of this type will increase in number in coming months, no platform is immune so it is desirable that the internet user is aware of the cyber threats and take appropriate precautions.

Pierluigi Paganini

 

References

http://securityaffairs.co/wordpress/7233/cyber-crime/the-raise-of-multi-platform-malware.html