Advanced analysis of the Morcut Mac OS X malware that targets computers running Apple’s Mac operating system (OS) or Microsoft’s Windows OS has revealed that it also targets virtual machines and Windows mobiles.
The malware, also known as OSX.Crisis and W32.Crisis, was last month reported to have arrived on a compromised computer through a JAR file, using social engineering techniques. Symantec detects the JAR file as Trojan.Maljava.
The JAR file drops the malware executable file for the appropriate operating system and, in both cases, opens a back door on the compromised computer.
However, Symantec researchers have found two special functions in the Windows version, according to a company blog post. It uses three methods to spread itself: one to copy itself and an autorun.inf file to a removable disk drive, a second to infect a VMware virtual machine, and a third to infect a Windows Mobile device.
According to Symantec researchers, the threat searches for a VMware virtual machine image on the compromised computer, mounts it and then copies itself onto the image by using a VMware Player tool.
The malware does not use a vulnerability in the VMware software, but takes advantage of the fact that all virtual machines (VMs) are a file or series of files on the disk of the host machine.
These files can usually be directly manipulated or mounted, even when the VM is not running, Symantec said.
This may be the first malware that attempts to spread onto a virtual machine
Takashi Katsuki, Symantec
“This may be the first malware that attempts to spread onto a virtual machine,” said Symantec’s Takashi Katsuki. “Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMware, to avoid being analysed, so this may be the next leap forward for malware authors."
Researchers also found that the Windows version of the malware has the functionality to spread to Windows Mobile devices by dropping modules onto Windows Mobile devices connected to compromised Windows computers.
Android devices are not affected, however, as the malware uses the Remote Application Programming Interface (RAPI), which affects only Windows Mobile devices.
With the capability to spread to four different environments, Katsuki said the malware is now an advanced threat.