A wide range of cyber criminals now uses new “undetectable” CrossRat malware that addresses Windows, macOS, Solaris and Linux systems.
Last week we published a detailed article on the EFF / Lookout report that revealed a new group of advanced persistent threats (APTs), called Dark Caracal, engaged in worldwide mobile espionage campaigns.
Although the report unveils large-scale hacking operations against mobile phones rather than computers, it has uncovered a new CrossRAT malware (version 0.1), which would be developed by, or for, the Dark Caracal group.
CrossRAT malware is a cross-platform Trojan able to address the four operating systems Windows, Solaris, Linux and macOS, allowing remote attackers to manipulate the file system, capture screenshots, execute arbitrary executables and gain persistence. systems.
According to the researchers, Dark Caracal hackers do not rely on “zero-day exploits” to distribute their malware; Instead, it uses basic social engineering through Facebook group messages and WhatsApp messages, encouraging users to visit fake websites controlled by hackers and download malicious apps.
CrossRAT malware is written in Java programming language, which allows engineers and researchers of reverse engineering to easily decompile it.
Since at the time of writing, only two of the 58 widespread antivirus solutions (according to VirusTotal) are able to detect CrossRAT malware, the former NSA hacker Patrick Wardle decided to analyze the malware and provide a comprehensive technical overview of its mechanism persistence, command and control and its capabilities.
CrossRAT Malware 0.1 – Persistent cross-platform monitoring malware
Once executed on the target system, the system (hmar6.jar) first checks the operating system on which it is running and then installs it accordingly.
In addition, the CrossRAT malware system also attempts to collect information about the infected system, including the version of the installed operating system, kernel construction, and architecture.
In addition, for Linux systems, the malware also attempts to query system files to determine their distribution, such as Arch Linux, Centos, Debian, Kali Linux, Fedora and Linux Mint, among others.
Also Read: Top Super Bowl Advertisers 2018
CrossRAT malware then implements specific operating system persistence mechanisms to run automatically each time the infected system is restarted and registered on the C & C server, allowing remote attackers to send commands and requests. exfiltrate the data.
As reported by Lookout researchers, the CrossRAT malware variant distributed by Dark Caracal hacking connects to ‘flexberry (dot) com’ on port 2223, whose information is hardcoded in the ‘crossrat / k.class’ file.
CrossRAT Malware includes an inactive Keylogger module
The malware has been designed with some basic monitoring features, which are activated only when predefined commands are received from the C & C server.
It is interesting to note that Patrick has noticed that the CrossRAT malware has also been programmed to use “jnativehook”, an open source Java library to listen to keyboard and mouse events, but the malware does not have predefined commands to activate this keylogger.
“However, I did not see any code in this system that would refer to the jnativehook package – so, at this point, it seems that this function is not exploited – there might be a good explanation for this – identify its version at 0.1, perhaps indicating that it is still a work in progress and therefore not complete, “said Patrick.