Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Crisis Malware Able to Hijack Virtual Machines

Researchers Say Crisis May be the First Malware that Attempts to Spread Onto a Virtual Machine

Researchers Say Crisis May be the First Malware that Attempts to Spread Onto a Virtual Machine

Crisis, the malware that was discovered last month in a repository, is unique in that it has several features, including the ability to infect Windows and Macintosh installations. However, on the Windows side, Crisis can also target VM images Symantec says, making the malware two times the threat it once was.

Symantec, building on analysis from security firms such as Kaspersky Lab and Intego, discovered that the JAR file that is used to infect a given system has an additional payload for Windows.

Mac OS X Malware

“The threat uses three methods to spread itself: one is to copy itself and an autorun.inf file to a removable disk drive, another is to sneak onto a VMware virtual machine, and the final method is to drop modules onto a Windows Mobile device,” Symantec explained in a blog post.  

“This may be the first malware that attempts to spread onto a virtual machine. Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMware, to avoid being analyzed, so this may be the next leap forward for malware authors.”

When it comes to Windows Mobile, Symantec says they are still looking for actual examples of the modules. They have the proof that Crisis has the ability to target WinMo, but the modules themselves are not available.

Every security firm in the world who has a tie to the Virus Total submission list got a copy of Crisis. It would appear that the authors submitted it in order to see how well (or poorly) it was detected.

While the malware itself hasn’t been used in any widespread attack, and most vendors have basic detections for it, the developers have upped the stakes it seems when it comes to attack vectors.

Additional coverage on Crisis is here and here.   

Related Reading: Report Examines Code Behind Crisis Trojan Targeting Mac OS X

Written By

Click to comment

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.