Dyreza malware
Brazilian gangs are actively working to develop cross-operating system banking malware that will infect Mac and Linux computers too iStock

Are you a Mac or Linux user who has been feeling smug about the lack of malware on your operating system? Well, your days are numbered. Brazilian crime gangs are working to change this by packaging malware into Java archive (jar) files, which run across Macs, Linux, Windows and – in some circumstances – Android mobile devices.

Security researchers from Kaspersky Lab have discovered that Brazilian criminals are operating email phishing scams by pretending to be from electronic debt call centres and transport authorities concerning vehicle taxes or fines.

The emails ask the recipient to download a PDF file allegedly showing the amount to be paid. Instead the link downloads jar files, or the email directly spreads jar files hidden inside archives without the victim needing to download anything from the internet at all.

Unfortunately, this means that as long as the user has Java installed on their computer, the Banloader components will immediately execute on the operating system –and it doesn't matter whether the user is on Mac OS X, Windows or Linux.

This type of malware is known as a "malware dropper" as it isn't as nasty as full-on malware, having less malicious functionality. The bad news is that because it is only a dropper, it can avoid being detected by antivirus programs, and therefore can gain a foothold in the victim's operating system where later the attackers can send a command for the real malware to download from the command and control (C&C) server and quietly install onto the victim's machine.

It depends on the gang, but Kaspersky researchers observed versions of the Banloader malware dropper being used by Brazilian criminals to serve banking Trojans that redirect users to fake banking websites. However, the real fear is that these same criminals could easily develop a cross-platform banking Trojan containing jar files that would immediately install and work to steal a victim's money.

"The Banloaders (initial components) come in jar but the final components (dropped malware) are still designed to run in Windows or they use a Windows system in the case of PAC abusing. However, it's clear the first step to cross-platforming has just been made. So, it's a matter of time until we will find Brazilian bankers running on all platforms," Kaspersky Lab researcher Dmitry Bestuzhev wrote in a blog post.

At the moment, the researchers observe that most of the victims of the malware droppers are located in Brazil, Spain and Portugal, as well as the US, Argentina and Mexico. Kaspersky also warns that at the moment, all antivirus vendors in the world have a very low detection rate for jar malware, so this needs to be fixed soon.