A multi-platform APT CrossRAT Malware discovered with sophisticated surveillance operation that targeting Windows, OSX, and Linux computer globally both individuals and organizations.

It performed by Large-scale Dark Caracal cyber-espionage campaign and conducting advanced spying operation globally.

There are thousand of Victims has been infected and hundreds of gigabytes of data have been stolen from more than 21 countries victims including North America, Europe, the Middle East, and Asia.

CrossRAT also considering as a “newly discovered desktop surveillanceware tool.” that has an ability to target Windows, Linux, and OSX and it performs some malicious operations such as manipulate the file system, take screenshots.

Dark Caracal cyber-espionage targeting governments, militaries, utilities, financial institutions, manufacturing companies, and defense contractors.

CrossRAT used by Dark Caracal and exfiltrated data include documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data.

How does CrossRAT Malware Works

CrossRAT persistence helps to undetectable by malware scanners and it considered as an advanced emerging malware family.

Initially, CrossRAT spreading via Social media links, Phishing emails with an attached jar file that contains a trojanized file.

Since CrossRAT Written in Java, it requires Java to be installed on the target machine. but most recent Mac OS not shipping with Java.

its persistence mechanism bypassed the many antivirus software and it won’t help to detect and remove it from the victim’s machine if the user installed any of this anti-virus software.

CrossRAT Malware contains .jar file and later it was unzipped and find that it has Java-based package structured Java Bytecode.

The file contains 3 Packages. a, b, Crossrat, org and first package (A), appears to be responsible for determining the OS version of any system it is running on.

Java can support allow the Platform  CrossRAT can be deployed on Windows, Linux, SunOS, and OS X.

Accorinding to Researchers, n an infected system, in order to ensure that the OS automatically (re)executes the malware whenever the system is rebooted, the malware must persist itself. This (generally) requires OS-specific code. That is to say, there are Windows-specific methods of persistence, Mac-specific method, Linux-specific methods, etc…

Once the CrossRAT malware completely infected the victim’s machine, it allows a remote attacker to completely take over the entire computer and it modifying the file system.

Its created for global keyboard and mouse listeners for Java to capture the keyboard activities.

Also, this malware using  java.awt.Robot().createScreenCapture function to capture the victim’s screen and saves it as a disk. later it communicates with its Command & Control server and exfiltrates the data.

Also, an attacker can able to create, delete, modifying the file remotely also execute the arbitrary code on the victim’s machine also, you can read the complete technical analysis here