Multi-platform spyware penetrates smartphones and VMs
In late July, virus researchers discovered a trojan going by the names Crisis and Morcut that uses a number of techniques to spy on Windows and Mac OS X users. It installs a backdoor in the system and then uses rootkit functionality to conceal itself from the system. Crisis includes a wide range of espionage tools, allowing it to perform functions such as eavesdropping on Skype calls, keylogging and tapping into webcams.
Anti-virus company Symantec has now discovered that, when running under Windows, the malware has a number of other interesting tricks up its sleeve. Crisis searches for VMware images and infects them with a copy of itself. It also uses the Remote Application Programming Interface (RAPI) to install modules on any devices running Windows Mobile (the forerunner to Microsoft's current Windows Phone operating system). What exactly these modules do there is not yet clear – Symantec's virus lab has not managed to get hold of them.
With the help of a little social engineering, the malware appears to be being spread via a Java file named AdobeFlashPlayer.jar, which is signed using a self-signed VeriSign certificate. If a user opens the file and chooses to ignore the error message generated by the self-signed certificate, separate payloads for Windows or Mac OS X are executed depending on the operating system on which the file is opened.
It is notable that this piece of spyware has not yet been observed in the wild by any of the major anti-virus software companies. Samples were uploaded to anti-virus service VirusTotal, which passed them on to the virus labs. Its limited distribution suggests that Crisis is being used for targeted attacks, along the lines of those carried out using commercial trojan toolkit FinSpy, sold by Finfisher. According Russian AV company Dr Web, this is the latest specimen of Italian company HackingTeam's Remote Control System, also known as Da Vinci.
The company sells its spyware as a "hacking suite for governmental interception" and, among other things, its product brochure promises the ability to eavesdrop on Skype calls. As well as Windows and Mac OS X, Da Vinci also supports iOS, Android, Blackberry, Symbian and Linux. Close inspection of the screenshots in the brochure suggests that Da Vinci also appears to be able to divulge the current location of the person under surveillance.