Tuesday, February 27, 2024

Most Advanced APT Malware “CrossRAT” Globally Targeting Individuals & Exfiltrate Text Messages, Photos, Call Records

A multi-platform APT CrossRAT Malware discovered with sophisticated surveillance operation that targeting Windows, OSX, and Linux computer globally both individuals and organizations.

It performed by Large-scale Dark Caracal cyber-espionage campaign and conducting advanced spying operation globally.

There are thousand of Victims has been infected and hundreds of gigabytes of data have been stolen from more than 21 countries victims including North America, Europe, the Middle East, and Asia.

CrossRAT also considering as a “newly discovered desktop surveillanceware tool.” that has an ability to target Windows, Linux, and OSX and it performs some malicious operations such as manipulate the file system, take screenshots.

Dark Caracal cyber-espionage targeting governments, militaries, utilities, financial institutions, manufacturing companies, and defense contractors.

CrossRAT used by Dark Caracal and exfiltrated data include documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data.

How does CrossRAT Malware Works

CrossRAT persistence helps to undetectable by malware scanners and it considered as an advanced emerging malware family.

Initially, CrossRAT spreading via Social media links, Phishing emails with an attached jar file that contains a trojanized file.

Since CrossRAT Written in Java, it requires Java to be installed on the target machine. but most recent Mac OS not shipping with Java.

its persistence mechanism bypassed the many antivirus software and it won’t help to detect and remove it from the victim’s machine if the user installed any of this anti-virus software.

CrossRAT Malware contains .jar file and later it was unzipped and find that it has Java-based package structured Java Bytecode.

The file contains 3 Packages. a, b, Crossrat, org and first package (A), appears to be responsible for determining the OS version of any system it is running on.

Java can support allow the Platform  CrossRAT can be deployed on Windows, Linux, SunOS, and OS X.

Accorinding to Researchers, n an infected system, in order to ensure that the OS automatically (re)executes the malware whenever the system is rebooted, the malware must persist itself. This (generally) requires OS-specific code. That is to say, there are Windows-specific methods of persistence, Mac-specific method, Linux-specific methods, etc…

Once the CrossRAT malware completely infected the victim’s machine, it allows a remote attacker to completely take over the entire computer and it modifying the file system.

Its created for global keyboard and mouse listeners for Java to capture the keyboard activities.

Also, this malware using  java.awt.Robot().createScreenCapture function to capture the victim’s screen and saves it as a disk. later it communicates with its Command & Control server and exfiltrates the data.

Also, an attacker can able to create, delete, modifying the file remotely also execute the arbitrary code on the victim’s machine also, you can read the complete technical analysis here


Latest articles

Abyss Locker Ransomware Attacks Microsoft Windows and Linux Users

FortiGuard Labs has released a report detailing the emergence and impact of the Abyss...

14-Year-Old CMS Editor Flaw Exploited to Hack Govt & Edu Sites

Hackers have exploited a vulnerability in a 14-year-old Content Management System (CMS) editor, FCKeditor,...

Zyxel Firewall Flaw Let Attackers Execute Remote Code

Four new vulnerabilities have been discovered in some of the Zyxel Firewall and access...

Hackers Abuse Telegram API To Exfiltrate User Information

Attackers have been using keywords like "remittance" and "receipts" to spread phishing scripts using...

ThreatHunter.ai Stops Hundreds of Attacks in 48 Hours: Fighting Ransomware and Nation-State Cyber Threats

The current large surge in cyber threats has left many organizations grappling for security...

WordPress Plugin Flaw Exposes 200,000+ Websites for Hacking

A critical security flaw has been identified in the Ultimate Member plugin for WordPress,...

Hackers Actively Hijacking ConnectWise ScreenConnect server

ConnectWise, a prominent software company, issued an urgent security bulletin on February 19, 2024,...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles