Observing the Ebb and Flow of Cross-Platform Malware | Recorded Future
Predict 21: The Intelligence Summit Register Today

Observing the Ebb and Flow of Cross-Platform Malware

January 29, 2014 • Chris

Recent news of a cross-platform, Java-based backdoor used to create a DDoS botnet (ThreatPost authored a valuable brief) prompted us to revisit a late November report by MobiStealth on the emergence of cross-platform threats.

Well known malware such as Koobface and McRAT, capable of affecting OSX, Windows, and Linux machines, are interesting to observe over time as their effects are typically noticed in bursts. But after patches are made and defenses are hardened, there’s often a comeback: malware reemerges, sometimes years later, when new vulnerabilities are discovered or modifications allow it to once again slip through defenses.

Paraphrasing a fellow threat intel analyst: while novel vulnerabilities remain available, why would attackers waste resources creating new malware if existing tools can do the job? We’ve seen trojans, say Trojan.Naid, used in distinct attacks over long stretches, making it clear that attackers are comfortable opportunistically reusing tools.

The below Recorded Future timeline shows attention to Koobface and McRAT (along with its various aliases) during 2013:

Koobface McRAT timeline

The top row in the timeline shows variants of McRAT being used in distinct campaigns during 2013. The lower row reveals the reported spike in Koobface as infections during Q1 2013, which some researchers called a return “from the dead,” and subsequent slowdown later in the year.

Tracking the Latest Cross-Platform Malware Developments

Recognition last week of the cross-platform HEUR:Backdoor.Java.Agent.a, the technical name bestowed by Kaspersky Lab upon the above mentioned Java backdoor, led us to set up monitoring in Recorded Future so we can watch the evolution of this particular malware.

The below network (here’s the live, interactive view in Recorded Future) details elements of recent conversations happening around the web related to cross-platform malware.

Cross Platform Malware Network

The recent Java backdoor aside, we notice discussion about a cross-platform threat that works in the other direction: banking malware that seeks to infect Android devices from Windows. Separately, we see Twitter chatter raising attention to the new Java.Agent.a malware by using several hashtags associated with hacktivist collective Anonymous.

Analysts at Booz Allen report cross-platform malware will be a growing and increasingly damaging threat vector in 2014. If you’d like to set up an alert on this topic and/or use the visualization tools shown above for your own threat intelligence research, reach out to us at Recorded Future. We’ll get you hooked up with a trial account.

New call-to-action

Related Posts

How The Stadtwerke Klagenfurt Group Reduces Risk to Critical Infrastructure

How The Stadtwerke Klagenfurt Group Reduces Risk to Critical Infrastructure

November 17, 2020 • The Recorded Future Team

Key Takeaways The Stadtwerke Klagenfurt Group delivers essential municipal services,...

Security Intelligence Handbook Chapter 2: Examining Operational and Strategic Security Intelligence

Security Intelligence Handbook Chapter 2: Examining Operational and Strategic Security Intelligence

November 12, 2020 • The Recorded Future Team

Editor’s Note: Over the next several weeks, we’re sharing excerpts from the third edition of...

How Predict 2020 Disrupted the Status Quo

How Predict 2020 Disrupted the Status Quo

October 9, 2020 • The Recorded Future Team

While Predict 2020 looked a bit different this year, the world’s largest security intelligence...