CrossRAT

CrossRAT is a cross platform malware written in Java, targeting Windows, Linux and MacOS. There are signs that imply that the malware was developed by/for the Dark Caracal APT group.

Source: CheckPoint

The infection vector is through a malicious document that arrives in a phishing campaign. If macros are enabled, a malicious code will be executed to download and infect the system. When executed, the malware will try to copy itself to /usr/var/mediagrs.jar if it has permissions, and in case it fails will copy to %HOME%/Library/mediamgrs.jarThe malware creates LaunchAgent “$HOME/Library/LaunchAgents/mediamgrs.plist” for persistence on the infected machine. CrossRAT can manipulate the file system, take screenshots, download and execute additional files. It also uses “jnativehook”, an open source library written in Java, that enables keyboard and mouse listeners, i.e keylogging. In addition the malware collects information from the system and sends it to the C2.

Links:

• https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf
• Analyzing CrossRAT

Samples:
7e60c8ae77e20fbd7699187d0baf9ed0477e72f3