Observing the Ebb and Flow of Cross-Platform Malware

Posted: 29th January 2014

Recent news of a cross-platform, Java-based backdoor used to create a DDoS botnet (ThreatPost authored a valuable brief) prompted us to revisit a late November report by MobiStealth on the emergence of cross-platform threats.

Well known malware such as Koobface and McRAT, capable of affecting OSX, Windows, and Linux machines, are interesting to observe over time as their effects are typically noticed in bursts. But after patches are made and defenses are hardened, there’s often a comeback: malware reemerges, sometimes years later, when new vulnerabilities are discovered or modifications allow it to once again slip through defenses.

Paraphrasing a fellow threat intel analyst: while novel vulnerabilities remain available, why would attackers waste resources creating new malware if existing tools can do the job? We’ve seen trojans, say Trojan.Naid, used in distinct attacks over long stretches, making it clear that attackers are comfortable opportunistically reusing tools.

The below Recorded Future timeline shows attention to Koobface and McRAT (along with its various aliases) during 2013:

The top row in the timeline shows variants of McRAT being used in distinct campaigns during 2013. The lower row reveals the reported spike in Koobface as infections during Q1 2013, which some researchers called a return “from the dead,” and subsequent slowdown later in the year.

Tracking the Latest Cross-Platform Malware Developments

Recognition last week of the cross-platform HEUR:Backdoor.Java.Agent.a, the technical name bestowed by Kaspersky Lab upon the above mentioned Java backdoor, led us to set up monitoring in Recorded Future so we can watch the evolution of this particular malware.

The below network (here’s the live, interactive view in Recorded Future) details elements of recent conversations happening around the web related to cross-platform malware.

The recent Java backdoor aside, we notice discussion about a cross-platform threat that works in the other direction: banking malware that seeks to infect Android devices from Windows. Separately, we see Twitter chatter raising attention to the new Java.Agent.a malware by using several hashtags associated with hacktivist collective Anonymous.

Analysts at Booz Allen report cross-platform malware will be a growing and increasingly damaging threat vector in 2014. If you’d like to set up an alert on this topic and/or use the visualization tools shown above for your own threat intelligence research, reach out to us at Recorded Future. We’ll get you hooked up with a trial account.