One of the oft-repeated reasons for using alternative operating systems is the suggestion that alternatives to Windows are more secure because malware is not produced for these minority systems—in effect, an argument in favor of security by minority. For a variety of reasons, this is a misguided notion. The proliferation of web-based attacks—which are inherently cross-platform, as they depend on browsers more than the underlying OS the browser runs on—makes this argument rather toothless.
In the more narrow view of actual executables, Java-based malware such as McRAT has proliferated in the past, though as Java on the desktop is practically unheard of on consumer computers in 2018. Likewise, with enterprises moving away from installing Java SE on workstations, the viability of that approach has dwindled. However, Google’s Golang—which supports cross compiling to run on multiple operating systems—is now being utilized by attackers to target Windows and Linux workstations.
According a report by JPCERT, the WellMess malware can operate on WinPE (Windows Preinstallation Environment) and on Linux via ELF (Executable and Linkable Format). The malware gives a remote attacker the ability to execute arbitrary commands as well as upload and download files, or run PowerShell scripts to automate tasks. The commands are transferred to the infected device via RC6 encrypted HTTP POST requests, with the results of executed commands transmitted to the C&C server via cookies.
Submitted by: Arnfried Walbrecht