The Mac Security Blog

Malware

New CrossRAT Malware Used in Global Cyber-Espionage Campaign

Posted on by

CrossRAT Malware Used in Global Cyber-Espionage Campaign

Researchers from the Electronic Frontier Foundation (EFF) and Lookout have published a security research report analyzing a global government-sponsored APT group, called Dark Caracal. The report, titled, “Dark Caracal Cyber-espionage at a Global Scale” is detailed and makes for a good read. In it are details about a new piece of cross-platform malware, named CrossRAT, detected by Intego VirusBarrier as Java/LaunchAgent.

CrossRAT is a Java-based backdoor that can be deployed on Windows, Linux and macOS systems and will be the focus of this article. Here’s what we currently know about this new CrossRAT malware and what you can do to protect yourself.

How does CrossRAT malware install?

CrossRAT likely ends up on victim’s systems through social engineering, phishing, and in some cases physical access. The use of Facebook groups and WhatsApp messages are mentioned in the report as well as spear-phishing. It is unknown if fake or infected installers such as Flash Player were used. CrossRAT is Java based, and so infection through a web browser is likely the most common way cybercriminals infect a target.

Once the malicious file (hmar6.jar) is successfully loaded on a target system, it checks the version of the operating system and installs the appropriate means to keep itself alive. The malware then checks in with a Command and Control (C&C) server, receives instructions and gets to work. The C&C server is known to be flexberry[.]com and CrossRAT communicates with it on port 2223.

Persistence is achieved by installing a LaunchAgent that links to a file placed in the user’s Library folder.

What can CrossRAT do?

When CrossRAT first reaches out to the C&C server, it transmits several pieces of information:

  • Operating System name
  • Operating System version
  • Host name
  • User name

If CrossRAT finds instructions, it will get to work right away. These instructions can be any of the following:

  • Enumerate root directories on the system
  • Enumerate files on the system
  • Create blank file on system
  • Copy File
  • Move file
  • Write file contents
  • Read file contents
  • Heartbeat request
  • Get screenshot

A keylogger module appears to be included in CrossRAT, but it is not active. As CrossRAT’s version lists 0.1, the keylogger and other functionality may simply be activated in future versions.

These commands are enough to exfiltrate all kinds of sensitive data from a system and give the attacker complete control.

Should Mac users be concerned about CrossRAT?

Security researcher, Patrick Wardle, noted the following in his analysis of CrossRAT:

As CrossRAT is written in Java, it requires Java to be installed. Luckily recent versions of macOS do not ship with Java. Thus, most macOS users should be safe! Of course if a Mac user already has Java installed, or the attacker is able to coerce a naive user to install Java first, CrossRAT will run just dandy, even on the latest version of macOS (High Sierra).

With web browsers either actively blocking Java from automatically running or providing an option to block Java, user risk is reduced. That said, spear-phishing or phishing campaigns can be very effective, so a target can be tricked to enable Java or, as Patrick mentioned, install it.

How to tell if your Mac is infected (and removal instructions)

To check if your Mac is infected and to clear the infection if present, browse to the following folders and trash the following files:

  • ~ Library → Look for a file named mediamgrs.jar – Delete this file (if found).
  • ~ Library > LaunchAgents > mediamgrs.plist – Delete this file.
  • ~ Library > LaunchAgents > mediamgrs.plist – Delete this file.

If an infection is found and the above files have been deleted, empty your trash and restart your Mac. This will effectively remove the malware from your Mac.

How to protect yourself from CrossRAT

Intego VirusBarrier users are protected from CrossRAT, detected as Java/LaunchAgent.

Intego’s Mac anti-virus will remove it from an infected system or block it from installing if the malware makes its way onto your Mac in the future. Of course, using a two-way firewall solution, such as Intego NetBarrier, will also alert you of any connection attempts to and from applications, which allows you to spot suspect behavior.

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. View all posts by Jay Vrijenhoek →