14 DAY TRIAL // The moment Mac and Linux users have dreaded is here, and that's when Windows' vast malware scene spills over into their operating system via cross-platform threats.
The news comes to us thanks to Kaspersky, a well-known antivirus vendor, which has recently picked up on a few malware families that are being distributed as JAR Java executables.
As we know, Java JAR files will run on all three major platforms, Mac, Linux, and Windows, and even on Android devices under special conditions.
By packing malware as a JAR file, crooks are practically making sure their content will be executed on all targets, regardless of operating system, something that's not possible today.
Currently, malware operators need to create a different version of their malware for each operating system, taking into account the subtle difference between each platform, something the Java Runtime Environment (JRE) fixed a long time ago.
This means that JRE needs to be installed on each victim's computer for the malware to run, which, in most cases, it is, with Java being quite a popular platform - it is installed on 70-80% of computers worldwide, according to different statistics sources.
Brazil coders have created cross-platform malware droppers
According to Kaspersky, Brazil's criminal underground seems to be the first one that has taken this step. What's even more interesting is the fact that this is not the work of one coding crew, but there are different gangs in Brazil experimenting with JAR files for their malware.
Up until now, Kaspersky has seen two different spam campaigns that are delivering malicious JAR files, or JAR files placed inside archives. These threats are detected under the names Trojan-Banker.Java.Agent, Trojan-Downloader.Java.Banload, and Trojan-Downloader.Java.Agent.
The bad news is that detection in VirusTotal scanners is pretty low, but the good news is that these aren't real "malware," being just simple droppers.
Cross-OS malware droppers are only the first step
A malware dropper is a simplistic threat that is, above all, small, with less malicious functionality so it can avoid antivirus detection. Its main role is to get a foothold in the system and download the real malware later on from a C&C server.
But having cross-platform droppers is theoretically just like having cross-platform malware since most malware operators will tell you that the hardest thing is to penetrate the user's system. Once this happens, which is the task of a dropper, then it's a clear road for exploitation for the threat that the dropper downloads.
Kaspersky says that these particular campaigns detected coming from Brazilian cyber-crime gangs are spreading banking trojans. The groups have only developed a cross-OS dropper at the moment and are still delivering their older banking trojans.
Of course, the only reason a cross-platform JAR-packed banking trojan doesn't exist right now is the fact that the groups haven't gotten to developing it, having barely launched their JAR dropper.
As Dmitry Bestuzhev, cyber threats researcher for Kaspersky, explains, this may only be a matter of time. "There is no reason to believe they won’t. They have just started and they won’t stop," Mr. Bestuzhev says.
Right now, infections with these three malware families that leverage JAR files are popping up mainly in Brazil, but a large number of victims was also recorded in China and Germany, where Kaspersky says that local cyber-crime gangs are also experimenting with the same JAR-packing techniques.
