Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Topic

New Reply

“CrossRAT is a cross-platform remote access Trojan that can target all four popular desktop operating systems, Windows, Solaris, Linux, and macOS, enabling remote attackers to manipulate the file system, take screenshots, run arbitrary executables, and gain persistence on the infected systems.
According to researchers, Dark Caracal hackers do not rely on any “zero-day exploits” to distribute its malware; instead, it uses basic social engineering via posts on Facebook groups and WhatsApp messages, encouraging users to visit hackers-controlled fake websites and download malicious applications.
CrossRAT is written in Java programming language…”

As it’s in version 0.1 (sic!) with unused keylogging capabilities etc., we can only expect to see more advanced versions later on… of course.

“Users are advised to install behaviour-based threat detection software.”

Quotes from https://thehackernews.com/2018/01/crossrat-malware.html

3 users thanked author for this post.

Cascadian, Elly, MrBrian

Reply | Quote

Replies

From thehackernews post @Jan-K linked above:

How to Check If You’re Infected with CrossRAT?
Since CrossRAT persists in an OS-specific manner, detecting the malware will depend on what operating system you are running.

For Windows:
– Check the ‘HKCU\Software\Microsoft\Windows\CurrentVersion\Run\’ registry key.
– If infected it will contain a command that includes, java, -jar and mediamgrs.jar.

For macOS:
– Check for jar file, mediamgrs.jar, in ~/Library.
– Also look for launch agent in /Library/LaunchAgents or ~/Library/LaunchAgents named mediamgrs.plist.

For Linux:
– Check for jar file, mediamgrs.jar, in /usr/var.
– Also look for an ‘autostart’ file in the ~/.config/autostart likely named mediamgrs.desktop.

5 users thanked author for this post.

RetiredGeek, Cascadian, Elly, Jan K., satrow

Reply | Quote

After posting I later came to think that I actually don’t use Java on pc? Had a check and it has been disabled for years… think it started when I found a bunch of +250MB installs from Sun. Also disabled in Internet Explorer, btw.

For a test I’ve now disabled it on my Acer android tablet in Chrome settings.

Will I really be missing anything?

1 user thanked author for this post.

Elly

Reply | Quote

Like @JanK , I also stripped the local installation of Java years ago. But I also recognize the remote use by others being hosted in my browser environment.

I’m trying to work out, and would appreciate input on, whether this isolated execution can inject the registry setting without having Oracle in my installed programs list.
—
I have since followed @Kristy ‘s tip and found no evidence currently on this unit. But I also recognize that does not by itself indicate protection against finding an exploit later.

Reply | Quote