Most people know that Java JAR files will run on the three major platforms – Mac, Linux, and Windows, and even on Android devices under special conditions.
Usually, developers disguise malware as a JAR file to make sure that their content will be executed on all targets, no matter what the operating system is.
Considering the difference between each platform, malware operators have to create a different version of their malware for each operating system, something the Java Runtime Environment (JRE) fixed a long time ago.
Therefore, JRE needs to be installed on each victim’s computer for the malware to run, which, in most cases, it is, with Java being quite a popular platform. According to the statistics, it is installed on 70-80% of computers worldwide so far.
Security experts claim that most probably Brazil’s cyber criminals are the first ones who have taken this step. However, much more intriguing fact is that this is not the work of one coding crew, but there are different Brazilian gangs experimenting with JAR files for their malware.
By this moment, security researchers have come across two different spam campaigns which are delivering malicious JAR files, or JAR files placed inside archives. These threats are detected under the names Trojan-Banker.Java.Agent, Trojan-Downloader.Java.Banload, and Trojan-Downloader.Java.Agent.
Unfortunately, that detection in VirusTotal scanners is pretty low, though the good thing is that these aren’t real “malware,” being just simple droppers.
The so called “malware dropper” is a simplistic threat which is small, with less malicious functionality so it can avoid antivirus detection. Its main role is to get a foothold in the system and download the real malware later on from a C&C server.
Theoretically, having cross-platform droppers is just like having cross-platform malware since most malware operators will tell you that the hardest thing is to penetrate the user’s system. As soon as this happens, it’s a clear road for exploitation for the threat that the dropper downloads.
Malware experts say that the two particular spam campaigns are coming from Brazilian cyber-crime gangs and they are spreading banking trojans. Currently, the gangs have only developed a cross-OS dropper and are still delivering their older banking trojans.
Nevertheless, the only reason a cross-platform JAR-packed banking trojan doesn’t exist now is the fact that the hackers haven’t gotten to developing it, having barely launched their JAR dropper.
According to security researcher Dmitry Bestuzhev, this may only be a matter of time. “There is no reason to believe they won’t. They have just started and they won’t stop,” Mr. Bestuzhev says.
Presently, infections with these three malware families that leverage JAR files are popping up mainly in Brazil, but a large number of victims was also recorded in China and Germany, where the local cyber-crime gangs are experimenting with the same JAR-packing techniques.