CrossRAT keylogging malware targets Linux, macOS & Windows PCs

Another day, another malware – This time, it is CrossRAT malware targeting Linux, macOS and Windows devices without being detected by anti-virus software.

Almost a week ago, the IT security researchers at OutLook along with the civil rights group, Electronic Frontier Foundation (EFF) exposed a highly sophisticated cyber espionage campaign operated by Dark Caracal hackers from Lebanon in which the group used Android malware against journalists and government officials in 21 countries.

State-Sponsored Spying Campaign Targeting Users Across 21 Countries
List of countries from where users were targeted (Lookout)

In their findings, the researchers also highlighted the presence of another dangerous malware called CrossRAT written in Java programming language which they believe was developed by Dark Caracal to target OSX, Linux, and Windows-based devices.

The malware is capable of evading anti-virus software and manipulate the file system of a targeted device, take screenshots, run arbitrary DLLs for secondary infection on Windows, and gain persistence on the infected system.

However now Patrick Wardle, a security researcher, and ex-NSA hacker has published a detailed report on CrossRAT according to which once infecting the computer, the malware performs a thorough scan on the machine. It can identify the kernel, the most basic layer that integrates the system with hardware, and the type of architecture. The purpose is to do the specific installation of the program according to each software. 

CrossRAT is so sophisticated that it can rummage through Linux systemmd to identify the distribution of the system including Arch Linux, Centos, Debian, Kali Linux, Fedora etc). In addition, CrossRAT has a built-in keylogger, software that records what is typed on the computer and send it to the command control center (C&C). However, Wardle did not find a way to activate the latter tool.

Moreover, according to Wardle, Windows and Linux computers are more susceptible to infection. This is because, as the malware is built in Java, it is necessary for the user to have this software on the computer. The two operating systems already bring a pre-installed version of Java, whereas, in macOS, it would be necessary to download.

When the researcher scanned the sample hmar6.jar file that installs CrossRAT on VirusTotal, it turned out that only 1 out of 58 anti-virus programs could detect the malware however at the time of publishing this article, 28/58 programs could detect the file as malicious.

CrossRAT keylogging malware targets Linux, macOS & Windows PCs

Now that the malware is detected by most of the security software on VirusTotal, its threat has gone to a low level however following commands can also help you identify if your system is infected with CrossRAT:

  • Windows:
    Check the HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ registry key. If infected it will contain a command that includes, java, -jar and mediamgrs.jar.

  • Mac:
    Check for jar file, mediamgrs.jar, in ~/Library.
    Also look for launch agent in /Library/LaunchAgents or ~/Library/LaunchAgents named mediamgrs.plist.

  • Linux:
    Check for jar file, mediamgrs.jar, in /usr/var.
    Also look for an ‘autostart’ file in the ~/.config/autostart likely named mediamgrs.desktop.

Source: objective-see / Image credit: DepositPhotos/Welcomia

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.