Cross-platform Malware: Write Once, Infect Anywhere

Last updated by UpGuard on November 20, 2019

scroll down

Cyber attackers are, above all else, opportunists—malware and viruses require time and resources to develop and are therefore created with the greatest returns in mind. In terms of operating systems, Windows typically gets a bad rap for security—the price of popularity, as it were. But as other OS platforms have whittled down Windows' market share in recent years, cyber attackers have had an increasingly broad playing field for exploitation. 

Cross-platform Threats on the Horizon

Last week, researchers at Kaspersky Lab discovered a few families of malware that ship as Java JAR file executables, marking the first appearance of cross-platform malware on the cyber threat landscape. This is, of course, Java's main value proposition: write once, run anywhere. It seems that hackers have taken this and utilized it for nefarious purposes; new Java-based threats coming down the pipe can equally run on Mac, Linux, Windows, and even Android devices.

The only caveat is that the Java Runtime Environment (JRE) must exist on the target system. Given the ubiquity of the Java platform, however, exploitable targets abound—according to,  97% of enterprise desktops and 89% of desktops in the U.S. run Java. As a technology, Java has been much maligned in recent years, with many security researchers calling for its complete eradication from the internet.

The spam campaigns delivering the malware JAR files have been detected using the following names:

  • Trojan-Banker.Java.Agent
  • Trojan-Downloader.Java.Banload
  • Trojan-Downloader.Java.Agent

It's worth noting that Kaspersky researchers only discovered the existence of cross-OS malware droppers, not complete standalone malware programs. Malware droppers are small pieces of software that avoid antivirus detection through their limited functionality. The purpose of a dropper is to gain entry into the system and download/install malware later from a central server hosted by the attacker. Security researchers warn that fully-fledged cross-OS malware programs are likely to soon follow.

Equal Opportunity Cyber Threats

Cross-platform exploits are nothing new. Earlier this year, JavaScript-based ransomware was discovered using the NW.js framework to infect victims; written in JavaScript, the ransomware is likely cross-OS compatible (unlike the WannaCry ransomware attack). And just last week, researchers at Bitdefender Labs discovered a rewrite of the ransomware Linux.Encoder called KeRangerthe first fully functional Mac OS X ransomware and the first cross-platform ransomware to appear.

Ransom32 payment screen

Cross-platform ransomware. Source:

Again, the key incentives for cross-platform malware development are economic: the rise in popularity of OS X and other Windows desktop alternatives has led to malware designed modularly for for wide distribution. Automated scanning for exposed server headers can be done with a simple script - signaling the continuing rise of automated hacking.

Whether your remediation efforts involve removing Java across your organization entirely or identifying/patching vulnerable versions of the JVM, UpGuard can ensure that exploitable flaws in your infrastructure are eliminated before reaching production environments. Our platform for cyber resilience can automatically monitor your environment for software packageslike Javathat could lead to security compromises.

Get a Guided UpGuard Demo


Related posts

Learn more about the latest issues in cybersecurity