The malware has been detected on VMware virtual machines on compromised hosts and it is able to copy itself onto an image by using a VMware Player tool.
What is important is to clarify is that the malware doesn’t exploit any vulnerability in the virtualization engine, but uses the mechanism of storage of local files that could be manipulated by malicious applications.
In many cases, the malware designers implemented a feature that made them inactive when the host is a virtual machine to avoid to being discovered and analyzed.
Takashi Katsuki of Symantec explained in his blog post:
“Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMware, to avoid being analyzed, so this may be the next leap forward for malware authors. It also has the functionality to spread to Windows Mobile devices by dropping modules onto Windows Mobile devices connected to compromised Windows computers”
Crisis Malware is an agent used to spy on victims by intercepting communications, and it is able to open a backdoor on the infected host once the user executes a Java archive (JAR) file made to look like an Adobe Flash Installer.
The malware has been developed for several OSs, and last month a Mac version had been isolated.
The malware has a long history, one of the oldest versions was detected during the Arab Spring when it was spread to spy on journalists, and it has been also been adopted by groups of criminals with the intent to steal banking credentials.
Lysa Myers from Intego’s Mac Security Blog clarified that the malware could infect a virtual machine only after executed on an infected host. Outside of a virtual machine, it’s not possible to infect ay image of a virtual environment without compromising the PC first.
This characteristic makes the trojan harder to detect especially in the absence of security protections on the virtualized environment.
Assuming we have a malware that is able to infect different environments such as Mac, Windows, virtual machines, and Windows Mobile, that represents an innovation for the way it spreads to the targets it attacks… we must not underestimate it!
Cross-posted from Security Affairs