Stealth CrossRAT malware targets Windows, MacOS, and Linux systems

  • Vivaldi Ambassador

    Last week a joint report published by security firm Lookout and digital civil rights group the Electronic Frontier Foundation detailed the activity of a long-running hacking group linked to the Beirut Government and tracked as Dark Caracal. The hacking campaigns conducted by Dark Caracal leverage a custom Android malware included in fake versions of secure messaging apps like Signal and WhatsApp.

    The report detailed a new strain of cross-platform malware tracked as CrossRAT (version 0.1), it is remote access Trojan that can infect systems based on Windows, Solaris, Linux, and macOS.

    The malware implements classic RAT features, such as taking screenshots and running arbitrary commands on the infected systems.

    At the time of its discovery, the malware was not detected by almost all the anti-virus software

    The Dark Caracal attack chain implemented relies primarily on social engineering, the hackers used messages sent to the victims via Facebook group and WhatsApp messages. At a high-level, the hackers have designed three different kinds of phishing messages to trick victims into visiting a compromised website, a typical watering hole attack.

    CrossRAT is written in Java programming language, for this reason, researchers can easily decompile it.

    The popular former NSA hacker Patrick Wardle published a detailed analysis of the CrossRAT malware.

    Once executed on the victim’s system, CrossRAT will determine the operating system it’s running on to trigger the proper installation procedure.

    On Linux systems, the RAT also attempts to query systemd files to determine the distribution (i.e. Arch Linux, Centos, Debian, Kali Linux, Fedora, and Linux Mint).

    Wardle explained that the author implemented specific persistence mechanisms for each operating system. Once installed the malware will attempt to contact the C&C server.

    “Now the malware has persistently installed itself, it checks in with the C&C server for tasking. As noted the EFF/Lookout report the malware will connect to flexberry . com on port 2223. ” states the analysis published by Wardle.

    The expert discovered that the CrossRAT includes reference ‘jnativehook Java library that provides global keyboard and mouse listeners for Java, but didn’t see any code within that implant that referenced the jnativehook package, likely because the analyzed version was still under development.

    Wardle detailed the persistence mechanism implemented for each OS, this information is useful to detect the presence of CrossRAT on a system.

    Check the HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ registry key. If infected it will contain a command that includes, java, -jar and mediamgrs.jar.
    Check for jar file, mediamgrs.jar, in ~/Library. Also look for launch agent in /Library/LaunchAgents or ~/Library/LaunchAgents named mediamgrs.plist.
    Check for jar file, mediamgrs.jar, in /usr/var. Also look for an ‘autostart’ file in the ~/.config/autostart likely named mediamgrs.desktop.

    Pierluigi Paganini


  • I'll check ;) remove direct link to flexberry (I know probably won't be infected clicking there...but better safe than sorry xD)

  • @hadden89 That's not really their fault, it's an automatic link, the only thing you can do is put spaces in between or surround it with backticks.

  • I read this in Bleeping Computer last week. Afterwards, I decided that as i am more likely to begin auto-levitation than ever use FB & WA, & wrt emails i never ever ever just blindly click links in any emails [even from known senders], i should be pretty immune to social engineering attack vectors. Regarding java, i then reviewed all my installed programs & could not see that i had anything which critically relied on Java, double-checked my deduction in the Manjaro forum, & then uninstalled Java from both PCs.

    Now just awaiting the inevitable next attack threat / vector. Geez all these people are bastards.

  • very interesting, thanks for the message

Log in to reply

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.