Cross-platform malware is still a rare occurrence, so when it’s detected, it usually attracts more attention than the malware engineered to affect only one particular platform.
A recent one, detected by McAfee and “named” IncognitoRAT attacks both Windows and Mac OS users. So, how does it manage to do it?
“IncognitoRAT is one example of a Java-based Trojan discovered in the wild that is being downloaded and installed by another component. This malware behaves like other Windows botnets but uses source code and libraries that can operate on other platforms,” explains McAfee’s Carlos Castillo.
“The original propagation vector of IncognitoRAT is a Windows executable, but apparently it was created using the tool JarToExe, which includes, among other features, the ability to convert .jar files into .exe files, to add program icons and version information, and protect and encrypt Java programs.
Once the .jar file is converted, it is executed and downloads a number of Java-based libraries that allow the attacker to remotely control the keyboard and mouse of the affected computer, to play MP3 files and videos, to record images taken by the computer’s webcam, and to send stolen information to a predefined email account.
A .jar component dropped by the downloader makes sure that the principal malware – which performs the actions mentioned above, and more – is executed. But, the thing that really caught the researchers’ attention is the fact that the botnet created by these infected machines might be able to crash the machines and apparently show a curious message to the user:
“According to public information, this malicious code is available for Windows, Mac OS X, and iPhone/iPad (the last only to control infected computers),” remarks Castillo. “However, we’ve seen only the PC version in a downloader/dropper in the wild.”