Trojan Downloader Determines OS, Infects Systems With Custom Malware

A new downloader uncovered by researchers at the Finnish security firm F-Secure is capable of sniffing out which operating system a user is running and infecting them with a custom malicious payload.

A new downloader uncovered by researchers at the Finnish security firm F-Secure is capable of sniffing out which operating system a user is running and infecting them with a custom malicious payload.

F-Secure’s Karmina Aquino discovered the attack on a compromised Colombian transport website. The scoial engineering attack presents visitors to the site a signed Java applet, an exploit described in the Metasploit database as follows:

“This exploit dynamically creates a .jar file via the Msf::Exploit::Java mixin, then signs it. The resulting signed applet is presented to the victim via a web page with an applet tag. The victim’s JVM will pop a dialog asking if they trust the signed applet… Newer JVMs display “UNKNOWN” when the signature is not trusted…”

Aquino writes that the JAR file, reportedly generated with TrustedSec’s Social Engineering Toolkit, checks which operating system a user is running, then, if the user is running Windows, Mac, or Linux, it downloads the appropriate malware.

The Linux, Mac, and Windows malware all behave similarly and connect to the same server (IP address: 186.87.69.249), where they await additional code. F-Secure lists the downloader as ‘Trojan-Downloader:Java/GetShell.A.’ and the system specific malicious files as ‘Trojan Backdoor:OSX/GetShell.A,’ ‘Backdoor:Linux/GetShell.A,’ and ‘Backdoor:W32/GetShell.A.’

Suggested articles

Discussion

  • Jason N00bz on

    This is the Social Engineering Toolkit by David Kennedy.  This toolkit has had the functionality for years.  

     

    FUD!

     

  • Anonymous on

    Is the attack targeted against specific targets or is it a general cybercrime malware operation? What is the website that was infected, and does it have to do directly with the purpose of the malware?
  • Anonymous on

    This functionality isn't new. Some iterations of Blackhole Exploit Kit also do this.

  • Anonymous on

    MY LOVE FOR EVER IS TROJAN DOWNLOADER:))=))

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.