CrossRAT Targets Windows, Mac, and Linux Systems

Antivirus becomes Malware! 'DoubleAgent' attacks discovered

Researchers identify a type of malware that attacks Windows, MacOS, and Linux systems. The CrossRAT malware can go undetected from most anti-virus software and also has a keylogger among other threats.

Cyber-security researchers and hackers are involved in a constant tussle with each other. Researchers try their best to identify threats, attack vectors, and security loopholes before their enemies can use them for an attack. Each side wins some battles, resulting in some successful attacks. A recent find by researchers showed that a new malware by the name of CrossRAT targets Windows, MacOS, and Linux PCs and can cause a lot of damage.

The team of OutLook and EFF identified an Android-based malware more than a week ago which targeted journalists and government officials in 21 countries. The malware was created by a Lebanese group by the name of Dark Caracal hackers as part of their cyber espionage racket. While uncovering this malware, the researchers discovered another, potentially more dangerous, malware called CrossRAT.

CrossRAT is a malware written in Java and believed to target Windows, Mac, and Linux operating systems. It can evade most anti-virus scans and has a lot of ways to create havoc once inside. The malware starts by running a full scan of the machine to identify which operating system is running. The scan is so thorough and sophisticated which distribution of Linux is used on the system. After it is done identifying the kernel and architecture of the machine, it can choose a specific installation according to the software the machine uses. CrossRAT can play with the file system and run random DLL files to cause secondary infection on Windows systems. It can also take screenshots and record the commands and operations on the machine using a built-in keylogger.

Ex-NSA hacker Patrick Wardle published a detailed report on CrossRAT recently which helped everyone learn all this about CrossRAT. While Windows and Linux systems are more susceptible since Java comes pre-installed, Mac users aren’t safe since Java is a necessary software which everyone installs right in the beginning. The worrying detail about CrossRAT, though, is that when Wardle installed the malware using the sample hmar6.jar file on VirusTotal, only 1 of 58 anti-virus software were able to detect the malware. But the signs are good after a week, with 28 out of 58 anti-virus software detecting the malware now.

If you believe that your system is infected with this malware, or want to check whether your antivirus was unable to protect you, you can follow these steps:

  1. Windows users can navigate through HKCU\Software\Microsoft\Windows\CurrentVersion\Run\registry key. If you find a command like java, -jar, mediamgrs.jar, then your system is infected with CrossRAT.
  2. Linux users can go in /usr/var and check for mediamgrs.jar. You should also check for an autostart file like mediamgrs.desktop in ~/.config/autostart
  3. Mac users should check for mediamgrs.jar in ~/Library. You should also check for a launch agent by the name of mediamgrs.plist in /Library/LaunchAgents or ~/Library/LaunchAgents

While the threat was identified before it becomes a real deal, this goes to show that hackers are constantly on the prowl to create malware that evades security checks, does a lot of mischiefs, and sits in the infected system for a long time.