CyberWisdom Safe Harbor Commentary on CrossRAT Malware Targets Windows, MacOS, and Linux systems
thehackernews.com warned ‘Are you using Linux or Mac OS? If you think your system is not vulnerable to viruses, then you should read this. A wide range of cybercriminals is now using a new type of “undetectable” spyware malware targeting Windows, macOS, Solaris, and Linux systems.’
Just a few days ago, I published a detailed article on the EFF / Lookout report, which revealed an Advanced Contingency Threats (APT) team called Dark Caracal that participated in global mobile espionage.
Although the report revealed the group’s massive hacking operations on cell phones rather than computers, it also revealed a new cross-platform malware called CrossRAT (version 0.1), which is considered to be a developer of, or dark, Caracal group.
What is CrossRATMalware?
CrossRAT is a cross-platform remote access Trojan that allows remote attackers to manipulate file systems, screenshots, and run arbitrary executables and systems against all four popular desktop operating systems, Windows, Solaris, Linux and macOS.
According to the researchers, black-hackers hackers do not rely on any “zero-day attack” to distribute their malware; instead, it uses basic social engineering through posts on Facebook groups and WhatsApp messages to encourage users to access hacker-controlled, Download malicious application.
CrossRAT is written in the Java programming language, making it easy for reverse engineers and researchers to decompile it.
As at the time of writing, CrossRAT was detected by only two out of 58 VirusTotal’s popular antivirus solutions, so former NSA hacker Patrick Wardle decided to analyze the malware and provide a comprehensive technical overview of its persistence Mechanisms, command and control communications, and its capabilities.
CrossRAT 0.1 – Continuous monitoring of malware across platforms
Once executed on the target system, the implant (hmar6.jar) first checks the running operating system and then installs itself accordingly.
In addition, CrossRAT Implant also attempts to collect information about the infected system, including the installed operating system version, kernel version, and architecture.
Also, for Linux systems, malware will try to query the system file to determine its distribution, such as Arch Linux, Centos, Debian, Kali Linux, Fedora, and Linux Mint.
CrossRAT then implements an operating system-specific persistence mechanism that automatically (re) executes when the infected system restarts and registers itself with the C & C server, allowing remote attackers to send commands and reveal data.
As reported by researchers at Lookout, the CrossRAT variant distributed by the Dark Caracal Hackers Organization connects to “flexberry (dot) com” on port 2223 whose information is hard-coded in the “crossrat/k.class” file.
CrossRAT contains an inactive keylogger module
CrossRAT Malware’s Goal
Malware is designed with some basic monitoring capabilities and is only triggered when it receives its own predefined command from the C & C server.
Interestingly, Patrick noticed that CrossRAT Malware was also programmed to use “jnativehook,” an open-source Java library to listen for keyboard and mouse events, but the malware did not have any predefined commands to activate the keyboard record.
“However, I did not see any code in the code that references the jnativehook package – so at this point, it seems that this functionality is not being exploited – this may be a good explanation. As the report states, malware identifies it Version of 0.1 may indicate that it is still an ongoing job and therefore incomplete, “said Patrick.
How do I check if you are infected with CrossRAT?
Because CrossRAT Malware persists in an operating system-specific way, detecting malware will depend on the operating system you are running.
- Check the ‘HKCU\Software\Microsoft\Windows\CurrentVersion\Run\’ registry key.
- If infected it will contain a command that includes, java, -jar and mediamgrs.jar.
- Check for jar file, mediamgrs.jar, in ~/Library.
- Also look for launch agent in /Library/LaunchAgents or ~/Library/LaunchAgents named mediamgrs.plist.
- Check for jar file, mediamgrs.jar, in /usr/var.
- Also look for an ‘autostart’ file in the ~/.config/autostart likely named mediamgrs.desktop.
How to prevent CrossRAT Trojan?
Malware Crossrat – Window Linux-MAC
Only 2 out of 58 antivirus products detected CrossRAT at the time of writing, which means your AV can hardly protect you from this threat.
Patrick said: “Since CrossRAT is written in Java, you need to have Java installed. Fortunately, the latest version of macOS is not provided with Java.
“So most macOS users should be safe! Of course, if a Mac user already has Java installed or if an attacker can force a naive user to install Java first, CrossRAT will run, even the latest version of macOS ) “.
Users are advised to install behavior-based threat detection software. BlockBlock is available to Mac users, a simple utility developed by Patrick that reminds users in the face of any permanent installation.
Are you using Linux or Mac OS? If you think your system is not prone to viruses, then you should read this. Wide-range of cybercriminals are now using a new piece of ‘undetectable’ spying malware that targets Windows, macOS, Solaris and Linux systems. Just last week we published a detailed article on the report from EFF/Lookout that revealed a new advanced persistent threat (APT) group,… Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post »