U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

APT

Stealth CrossRAT malware targets Windows, MacOS, and Linux systems

The popular former NSA hacker Patrick Wardle published a detailed analysis of the CrossRAT malware used by Dark Caracal for surveillance. Last week a joint report published by security firm Lookout and digital civil rights group the Electronic Frontier Foundation detailed the activity of a long-running hacking group linked to the Beirut Government and tracked as Dark […]

crossrat malware

The popular former NSA hacker Patrick Wardle published a detailed analysis of the CrossRAT malware used by Dark Caracal for surveillance.

Last week a joint report published by security firm Lookout and digital civil rights group the Electronic Frontier Foundation detailed the activity of a long-running hacking group linked to the Beirut Government and tracked as Dark Caracal. The hacking campaigns conducted by Dark Caracal leverage a custom Android malware included in fake versions of secure messaging apps like Signal and WhatsApp.

The report detailed a new strain of cross-platform malware tracked as CrossRAT (version 0.1), it is remote access Trojan that can infect systems based on Windows, Solaris, Linux, and macOS.

The malware implements classic RAT features, such as taking screenshots and running arbitrary commands on the infected systems.

At the time of its discovery, the malware was not detected by almost all the anti-virus software (only two out of 58).

crossrat malware

The Dark Caracal attack chain implemented relies primarily on social engineering, the hackers used messages sent to the victims via Facebook group and WhatsApp messages. At a high-level, the hackers have designed three different kinds of phishing messages to trick victims into visiting a compromised website, a typical watering hole attack.

CrossRAT is written in Java programming language, for this reason, researchers can easily decompile it.

The popular former NSA hacker Patrick Wardle published a detailed analysis of the CrossRAT malware.

Once executed on the victim’s system, CrossRAT will determine the operating system it’s running on to trigger the proper installation procedure.

On Linux systems, the RAT also attempts to query systemd files to determine the distribution (i.e. Arch Linux, Centos, Debian, Kali Linux, Fedora, and Linux Mint).

Wardle explained that the author implemented specific persistence mechanisms for each operating system. Once installed the malware will attempt to contact the C&C server.

“Now the malware has persistently installed itself, it checks in with the C&C server for tasking. As noted the EFF/Lookout report the malware will connect to flexberry.com on port 2223. ” states the analysis published by Wardle.

The expert discovered that the CrossRAT includes reference ‘jnativehook Java library that provides global keyboard and mouse listeners for Java, but didn’t see any code within that implant that referenced the jnativehook package, likely because the analyzed version was still under development.

Wardle detailed the persistence mechanism implemented for each OS, this information is useful to detect the presence of CrossRAT on a system.

  • Windows:
    Check the HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ registry key. If infected it will contain a command that includes, java-jar and mediamgrs.jar.
  • Mac:
    Check for jar file, mediamgrs.jar, in ~/Library.  Also look for launch agent in /Library/LaunchAgents or ~/Library/LaunchAgents named mediamgrs.plist.
  • Linux:
    Check for jar file, mediamgrs.jar, in /usr/var. Also look for an ‘autostart’ file in the ~/.config/autostart likely named mediamgrs.desktop.
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Dark Caracal, CrossRAT)

[adrotate banner=”5″]

[adrotate banner=”13″]