Thursday, March 28, 2024

Most Advanced APT Malware “CrossRAT” Globally Targeting Individuals & Exfiltrate Text Messages, Photos, Call Records

A multi-platform APT CrossRAT Malware discovered with sophisticated surveillance operation that targeting Windows, OSX, and Linux computer globally both individuals and organizations.

It performed by Large-scale Dark Caracal cyber-espionage campaign and conducting advanced spying operation globally.

There are thousand of Victims has been infected and hundreds of gigabytes of data have been stolen from more than 21 countries victims including North America, Europe, the Middle East, and Asia.

CrossRAT also considering as a “newly discovered desktop surveillanceware tool.” that has an ability to target Windows, Linux, and OSX and it performs some malicious operations such as manipulate the file system, take screenshots.

Dark Caracal cyber-espionage targeting governments, militaries, utilities, financial institutions, manufacturing companies, and defense contractors.

CrossRAT used by Dark Caracal and exfiltrated data include documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data.

How does CrossRAT Malware Works

CrossRAT persistence helps to undetectable by malware scanners and it considered as an advanced emerging malware family.

Initially, CrossRAT spreading via Social media links, Phishing emails with an attached jar file that contains a trojanized file.

Since CrossRAT Written in Java, it requires Java to be installed on the target machine. but most recent Mac OS not shipping with Java.

its persistence mechanism bypassed the many antivirus software and it won’t help to detect and remove it from the victim’s machine if the user installed any of this anti-virus software.

CrossRAT Malware contains .jar file and later it was unzipped and find that it has Java-based package structured Java Bytecode.

The file contains 3 Packages. a, b, Crossrat, org and first package (A), appears to be responsible for determining the OS version of any system it is running on.

Java can support allow the Platform  CrossRAT can be deployed on Windows, Linux, SunOS, and OS X.

Accorinding to Researchers, n an infected system, in order to ensure that the OS automatically (re)executes the malware whenever the system is rebooted, the malware must persist itself. This (generally) requires OS-specific code. That is to say, there are Windows-specific methods of persistence, Mac-specific method, Linux-specific methods, etc…

Once the CrossRAT malware completely infected the victim’s machine, it allows a remote attacker to completely take over the entire computer and it modifying the file system.

Its created for global keyboard and mouse listeners for Java to capture the keyboard activities.

Also, this malware using  java.awt.Robot().createScreenCapture function to capture the victim’s screen and saves it as a disk. later it communicates with its Command & Control server and exfiltrates the data.

Also, an attacker can able to create, delete, modifying the file remotely also execute the arbitrary code on the victim’s machine also, you can read the complete technical analysis here

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles