Brazilian underground is the first in spreading cross-platform malware

Coder in the Brazilian Cyber Criminal underground are Pioneering Cross-platform malware relying on Java archive (JAR) Files.

Recently security experts at PaloAlto Networks uncovered a new family of ransomware dubbed KeRanger that targets Mac OS X users, a circumstance that demonstrates that every OS is potentially at risk.

Now researchers at Kaspersky Lab have discovered new families of malware that are being distributed as JAR Java executables to allow the malicious code to run on Mac, Linux, and Windows, and even on Android devices under special conditions.

The malware authors are packing the malicious code as a JAR file to develop cross-platform malware. Of course in order to run the code, it is necessary that the Java Runtime Environment (JRE) is installed on the target machine.

Fortunately for the crooks, Java is installed on 70-80% of machines worldwide, and Brazilian vxers seems to be aware of this.

“Brazilian Trojan Banker coders are now making Trojans running on all platforms and not only Windows.” wrote cyber threat experts from Kaspersky Dmitry Bestuzhev.

“Because Jar files run on Windows, OS X and Linux, wherever Java is installed. This is the very first step cybercriminals from Brazil have made towards “cross-platforming“.”

Kaspersky experts noticed that the Brazilian criminal underground is a pioneer in the development of cross-platform malware. The malware researchers also noticed that the new threats result from the development of distinct gangs in Brazil.

Kaspersky discovered several spam campaigns delivering malicious JAR files, or JAR files placed inside archives sent as attachments. These campaigns aimed to spread malicious codes, mainly banking trojan, named as Trojan-Banker.Java.Agent, Trojan-Downloader.Java.Banload, and Trojan-Downloader.Java.Agent.

Most infections have been observed in Brazil, followed by China and Germany.

Another aspect that makes these campaigns very insidious is that the cross-platform malware is stealthy and presents a low detection rate. These droppers are tiny pieces of code, with limited malicious features, for this reason they can easily evade detection and download on the infected machine other malware.

“Actually, the general detection rate for ALL AV vendors is extremely low.” continues the post. Cross-OS malware droppers are only the first step

The experts at Kaspersky highlighted that Brazilian coders have developed a cross-OS dropper at the moment used to spread older banking malware, but researchers believe cross-platform JAR-packed banking trojan is under development.

As Dmitry Bestuzhev, cyber threats researcher for Kaspersky, explains, this may only be a matter of time.

“Are Brazilian coders going to release full bankers – bandleaders and bankers running exclusively on Jar?” “There is no reason to believe they won’t. They have just started and they won’t stop.” states the post.

Pierluigi Paganini

(Security Affairs – North Korea, Information Warfare)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.