(Translated from the original Italian)
A unique web exploit is in the wild, and its particularity is that in the deployment phase it is able to detect the OS of the host and choose the appropriate malware to launch to infect it.
The malware targets Windows, Linux and Mac OSs, so no one is safe, that is the result of the discovery made by the experts of the security firm F-Secure who have isolated what is considered a multi-platform backdoor on a Colombian Transport website.
Multi-platform attacks are rare, but they represent a considerable evolution to be considered. Multi-platform malware represents a great evolution for cyber crime because they provide the opportunity for an attacker to infect a greater number of machines.
The mechanism is simple: Using a JAR, the malware is able to identify the OS and then download the right files to infect the targeted machine.
After identifying the type of operating system a unit is running, a Java class file will download the appropriate malware, with the purpose to open a backdoor to allow remote access to the machine.
The following is reportedly the source code of the applet used to distinguish the OS running on targeted machine.
(click image to enlarge)
Of course, the attack must be completed with a social engineering exploit in order to allow the unit to accept the malicious file when the user is prompted to run a seemingly benign signed applet.
(click image to enlarge)
The malicious files developed for each type of OS connect to the same Command & Control server that F-Secure has localized at IP address 126.96.36.199.
The F-Secure blog post reported also the following info to qualify the malware:
- Trojan-Downloader:Java/GetShell.A (sha1: 4a52bb43ff4ae19816e1b97453835da3565387b7)
- Backdoor:OSX/GetShell.A (sha1: b05b11bc8520e73a9d62a3dc1d5854d3b4a52cef)
- Backdoor:Linux/GetShell.A (sha1: 359a996b841bc02d339279d29112fe980637bf88)
- Backdoor:W32/GetShell.A (sha1: 26fcc7d3106ab231ba0ed2cba34b7611dcf5fc0a)
- The MacOSX sample is a PowerPC binary, as such, executing the file in an Intel-based platform will require Rosetta.
We must specify that this isn’t the first multi-platform malware detected. In 2010 for example the Boonana malware was detected which also used a malicious Java applet to spread itself.
Malware of this type will increase in number in coming months, and no platform is immune, so it is desirable that internet users are aware of the threat and take appropriate precautions.
Cross-posted from Security Affairs