A new piece of malware is now targeting your PCs, CrossRAT is the name. This undetectable spying malware is believed to be developed by the Dark Caracal group. CrossRAT can be described as a malicious desktop surveillance tool which targets OSX, Windows, and Linux. Written in Java, this cross-platform malware can take screenshots, manipulate the entire file system, and run random DLLs for secondary infection on Windows.
As per the researchers, the developers of this Trojan are using WhatsApp messages and Facebook group messages to spread it and to redirect the users to the malicious websites and download malicious programs.
CrossRAT, however, doesn’t have any predefined command to activate the keylogger, but it uses the open source Java library ‘jnativehook,’ to check the mouse and keyboard occasions.
CrossRAT which is a desktop surveillance malware is designed with some basic surveillance features which get activated after getting the predefined instructions from C&C server. It first checks the operating system of your PC and then installs accordingly. Next, it assembles the details about the infected system along with the kernel structure.
The Trojan then uses the mechanisms according to the particular operating system and re-executes every time the infected system is rebooted. It further registers itself on the C&C server thereby providing an access to the distant attackers.
“As reported by Lookout researchers, CrossRAT variant distributed by Darkish Caracal hacking group connects to ‘flexberry(dot)com‘ on port 2223, whose data is hardcoded within the ‘crossrat/ok.class’ file”.
Check if your PC is infected with CrossRAT
As it is a Java written Trojan, it requires Java to land on a PC. Fortunately, the latest versions of Mac OS do not have Java installed and thus most of the mac users must be safe from CrossRAT.
But, if the user has installed Java or the attackers succeed to make the user install Java trickily, CrossRAT can run and infect even the latest versions of macOS.
As it is a cross-platform Trojan, detecting methods obviously will be different for each operating system.
For Home Windows users:
Test the ‘HKCUSoftwareMicrosoftWindowsCurrentVersionRun’ registry key. It will include a command featuring java, -jar and mediamgrs.jar if infected by CrossRAT
For Mac OS:
Search for launch agent mediamgrs.plist in in /Library/LaunchAgents or ~/Library/LaunchAgents.
(OR) Test for jar file, mediamgrs.jar, in ~/Library.
Search for an ‘autostart file’ probably named mediamgrs.desktop within the ~/.config/autostart
(OR) Test for jar file, mediamgrs.jar, in /usr/var.
Only 2 out of 58 antivirus software can detect CrossRAT at the time of writing, which means that you are under the risk and your anti-virus can hardly detect it and save you from this Trojan.
Check out the detailed technical overview and analysis of CrossRAT done by ex-NSA hacker Patrick Wardle which includes its capabilities, mechanism, command, and control.