The raise of Multi-platform malware

The malware factory still evolving, every day security firms detect new cyber threats that show new sophisticated techniques to avoid protection systems, this is a war that law enforcement fight against cyber criminals.

Internet has a new web exploit produced by crime industry, its particularity is that in the deployment phase it is able to detect the OS of the host and choose the appropriate malware to launch to infect it.

Windows, Linux or Mac OS, no one is safe, that is the result of the discovery made by the experts of the security firm F-Secure that have isolated what is considered a multi-platform backdoor on Colombian Transport site.

Multi-platform attacks are rarer, they represent a considerable evolution to take into account. Of course the multi platform malware represent a great evolution for the cyber crime because they give the opportunity to an attacker to infect the major number of machines independently from

The mechanism is simple, using a Jar the backdoor is able to identify the OS and after download the right files to infect the machine.

Once identified the type of operating system that is running, the Java class file will download the appropriate malware, with the purpose to open a backdoor to allow remote access to your machine.

Following is reported the source code of the applet used to distinguish the running OS on victim pc.

Of course the attack must be completed with a sort of social engineering, in order to accept the malicious file the internet users are circumvented by proposing to run a benign singned applet.

The malicious files developed for each type of OS connect to the same Command & Control server that F-Secure has localized at IP address 186.87.69.249.

The F-Secure blog post reported also the following info to qualify the malware:

Trojan-Downloader:Java/GetShell.A (sha1: 4a52bb43ff4ae19816e1b97453835da3565387b7)
Backdoor:OSX/GetShell.A (sha1: b05b11bc8520e73a9d62a3dc1d5854d3b4a52cef)
Backdoor:Linux/GetShell.A (sha1: 359a996b841bc02d339279d29112fe980637bf88)
Backdoor:W32/GetShell.A (sha1: 26fcc7d3106ab231ba0ed2cba34b7611dcf5fc0a)

The MacOSX sample is a PowerPC binary, as such, executing the file in an Intel-based platform will require Rosetta.

We must specify that this isn’t the first multi-platform malware detected, in 2010 was detected for example the Boonana malware which also used a malicious Java applet to spread itself on multiple machine.

Malware of this type will increase in number in coming months, no platform is immune so it is desirable that the internet user is aware of the cyber threats and take appropriate precautions.

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.