Brazilian underground is the first in spreading cross-platform malware

Pierluigi Paganini March 09, 2016

Coder in the Brazilian Cyber Criminal underground are Pioneering Cross-platform malware relying on Java archive (JAR) Files.

Recently security experts at PaloAlto Networks uncovered a new family of ransomware dubbed KeRanger that targets Mac OS X users, a circumstance that demonstrates that every OS is potentially at risk.

Now researchers at Kaspersky Lab have discovered new families of malware that are being distributed as JAR Java executables to allow the malicious code to run on Mac, Linux, and Windows, and even on Android devices under special conditions.

The malware authors are packing the malicious code as a JAR file to develop cross-platform malware. Of course in order to run the code, it is necessary that the Java Runtime Environment (JRE) is installed on the target machine.

Fortunately for the crooks, Java is installed on 70-80% of machines worldwide, and Brazilian vxers seems to be aware of this.

“Brazilian Trojan Banker coders are now making Trojans running on all platforms and not only Windows.” wrote cyber threat experts from Kaspersky Dmitry Bestuzhev. 

“Because Jar files run on Windows, OS X and Linux, wherever Java is installed. This is the very first step cybercriminals from Brazil have made towards “cross-platforming“.”

Kaspersky experts noticed that the Brazilian criminal underground is a pioneer in the development of cross-platform malware. The malware researchers also noticed that the new threats result from the development of distinct gangs in Brazil.

Kaspersky discovered several spam campaigns delivering malicious JAR files, or JAR files placed inside archives sent as attachments. These campaigns aimed to spread malicious codes, mainly banking trojan, named as Trojan-Banker.Java.Agent, Trojan-Downloader.Java.Banload, and Trojan-Downloader.Java.Agent.

Most infections have been observed in Brazil, followed by China and Germany.

cross-platform malware Brazil infections

Another aspect that makes these campaigns very insidious is that the cross-platform malware is stealthy and presents a low detection rate. These droppers are tiny pieces of code, with limited malicious features, for this reason they can easily evade detection and download on the infected machine other malware.

“Actually, the general detection rate for ALL AV vendors is extremely low.” continues the post. Cross-OS malware droppers are only the first step

The experts at Kaspersky highlighted that Brazilian coders have developed a cross-OS dropper at the moment used to spread older banking malware, but researchers believe cross-platform JAR-packed banking trojan is under development.

As Dmitry Bestuzhev, cyber threats researcher for Kaspersky, explains, this may only be a matter of time.

“Are Brazilian coders going to release full bankers – bandleaders and bankers running exclusively on Jar?” “There is no reason to believe they won’t. They have just started and they won’t stop.” states the post.

Pierluigi Paganini

(Security Affairs – North Korea, Information Warfare)



you might also like

leave a comment