At present, a new attack technology and strategy has begun to be favored by cyber mafia – cross platform attacks. What is a cross platform attack? For example, in order to avoid the monitoring of e-commerce platforms, online fraudsters may send messages on Weibo, cast a net on Baidu, contact Tencent, and finally trade on Taobao. Therefore, such cross platform operation method will greatly increase the difficulty of criminal process monitoring and evidence collection. Cross platform attacks can not only affect the original victim, even other mobile devices of the victim, but also the connected network or other systems in the network.
The earliest ransomware organizations that implemented cross platform attacks were RedAlert and Monster, which could target multiple operating systems and environments.
Attackers of cross platform attacks only need to write a specific program function once, and can use the generated code to write attack scripts for multiple targets. This attack can not only hinder analysis, but also customize attacks for specific victim environments. Attackers can use the command line to customize attacks, such as allowing code to run in an ESXi environment when targeting a specific type of client virtual machine. This also makes it more difficult for security experts to detect and prevent ransomware attacks.
Since 2021, the ability of the black industry to attack multiple client operating systems in the environment of a single victim has begun to grow. RedAlert can develop executables in the C language version for Linux systems, and also supports VMware’s enterprise ESXi hypervisor. Monster, on the other hand, uses the older cross platform language Delphi, which allows you to easily configure customized attacks against specific victims’ systems.
Kaspersky once published a report pointing out that extortion software gangs are making better and better use of n-day vulnerabilities (also known as “1-day” vulnerabilities) in multi platform attacks. “N days” refers to the vulnerabilities just reported. Cybercriminals compete to take advantage of them before the company has time to repair them.
A common way for ransomware to implement cross platform attacks is to write code in a language that supports other platforms, such as Rust or Golang.
According to the data of Palo Alto Networks Unit 42, four extortion software organizations, including Agenda, BlackCat, Hive and Luna, currently use the Go programming language. Agenda also provides “software customization services” for each victim.
As the tools for analyzing the above languages are not as mature as the C language program analysis tools, ransomware written with Rust and Go will make the analysis of malware researchers more difficult.
So, under what circumstances are they vulnerable to cross platform attacks? No matter what the answer is, as long as it is popular, newsworthy or popular news loved by everyone, it may be used by hackers.
There may be more and more cross platform threats in the future. Mafia will use mobile devices as the carrier of malware to attack enterprises or government institutions. Once the infected mobile devices are connected or synchronized to the company’s system, they can immediately spread infection to the entire network from within and steal important company data.
Therefore, in order to prevent threats from jumping across different platforms, the future devices in both work and home environments should be optimized for security, and relevant personnel should receive regular security training to prevent cross platform attacks. To protect your data, Vinchin offers solutions such as VMware backup for the world’s most popular virtual environments, XenServer backup, XCP-ng backup, Hyper-V backup, RHV/oVirt backup, Oracle backup, etc.
