A new downloader uncovered by researchers at the Finnish security firm F-Secure is capable of sniffing out which operating system a user is running and infecting them with a custom malicious payload.
F-Secure’s Karmina Aquino discovered the attack on a compromised Colombian transport website. The scoial engineering attack presents visitors to the site a signed Java applet, an exploit described in the Metasploit database as follows:
“This exploit dynamically creates a .jar file via the Msf::Exploit::Java mixin, then signs it. The resulting signed applet is presented to the victim via a web page with an applet tag. The victim’s JVM will pop a dialog asking if they trust the signed applet… Newer JVMs display “UNKNOWN” when the signature is not trusted…”
Aquino writes that the JAR file, reportedly generated with TrustedSec’s Social Engineering Toolkit, checks which operating system a user is running, then, if the user is running Windows, Mac, or Linux, it downloads the appropriate malware.
The Linux, Mac, and Windows malware all behave similarly and connect to the same server (IP address: 220.127.116.11), where they await additional code. F-Secure lists the downloader as ‘Trojan-Downloader:Java/GetShell.A.’ and the system specific malicious files as ‘Trojan Backdoor:OSX/GetShell.A,’ ‘Backdoor:Linux/GetShell.A,’ and ‘Backdoor:W32/GetShell.A.’