Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Chat about Linux in general
Post Reply
User avatar
phd21
Level 16
Level 16
Posts: 6767
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by phd21 » Fri Jan 26, 2018 6:31 pm

Hi Everyone,

In case you did not know ...

Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems
https://thehackernews.com/2018/01/crossrat-malware.html
CrossRAT is a cross-platform remote access Trojan that can target all four popular desktop operating systems, Windows, Solaris, Linux, and macOS, enabling remote attackers to manipulate the file system, take screenshots, run arbitrary executables, and gain persistence on the infected systems.

According to researchers, Dark Caracal hackers do not rely on any "zero-day exploits" to distribute its malware; instead, it uses basic social engineering via posts on Facebook groups and WhatsApp messages, encouraging users to visit hackers-controlled fake websites and download malicious applications.
Hope this helps ...
Phd21: Mint KDE 17.3 & 18.3, 64-bit Awesome OS, Ancient Dell OptiPlex 780 Core2Duo E8400 3GHz,4gb Ram,256gb SDD, Video: Intel 4 Graphics, DVD Lightscribe. Why I use KDE?:https://opensource.com/life/15/4/9-reasons-to-use-kde

User avatar
Amii_Leigh
Level 5
Level 5
Posts: 635
Joined: Fri Mar 25, 2016 10:58 pm
Location: Somewhere in the middle of nowhere, Missouri

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by Amii_Leigh » Fri Jan 26, 2018 8:23 pm

I guess this was bound to happen eventually. I'm *so* glad I don't use 'social' media! :)
नमस्ते = Namaste
I honor the place in you in which the entire universe dwells.
I honor the place in you in which is of love, of truth, of light, and of peace.
When you are in that place in you, and I am in that place in me, we are one.

User avatar
catweazel
Level 17
Level 17
Posts: 7068
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by catweazel » Fri Jan 26, 2018 8:33 pm

Amii_Leigh wrote:I guess this was bound to happen eventually. I'm *so* glad I don't use 'social' media! :)
Social engineering is often performed via email, so it's not social media specific.
Caution: Dancing Wu Li Master and Official curmudgeon-in-chief

Citizen229
Level 5
Level 5
Posts: 819
Joined: Fri Nov 04, 2016 12:09 pm
Location: NW Ohio

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by Citizen229 » Fri Jan 26, 2018 8:38 pm

At first glance this is not new. Downloading malicious software has always been around, as well as the vulnerabilities in web browsers. People clicking bad links and install packages is also not new.
Folding@home Project
Team Linux Mint-76140
PM for info on how you can help. Or visit viewtopic.php?f=58&t=243792
Seeking GPU's, i5/7/9's , Ryzens.

User avatar
BigEasy
Level 6
Level 6
Posts: 1152
Joined: Mon Nov 24, 2014 9:17 am
Location: Chrząszczyżewoszyce, powiat Łękołody

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by BigEasy » Sat Jan 27, 2018 4:24 am

phd21 wrote:Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems
https://thehackernews.com/2018/01/crossrat-malware.html
Why Undetectable? Detetable and perfectly.
Windows assumes I'm stupid but Linux demands proof of it

uberdorf
Level 4
Level 4
Posts: 232
Joined: Tue Sep 01, 2015 10:15 am

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by uberdorf » Sat Jan 27, 2018 5:09 am

Apparently it is java malware that queries the OS and then attempts persistence. Most of us have openjdk. They call it undetectable because it is new enough for it have a definition yet on most scanners. However it leaves behind some traces that can be found manually. https://digitasecurity.com/blog/2018/01/23/crossrat/

The command

Code: Select all

ps aux | grep mediamgrs.jar
is supposed to say if it is running. I'm on my son's kubuntu computer right now (which is mainly used for modded minecraft (java) and youtube) and I found this result which I don't understand

Code: Select all

scott     7172  0.0  0.0  14224   920 pts/1    S+   02:54   0:00 grep --color=auto mediamgrs.jar
From the above linked site, you can also look at
Linux:
Check for jar file, mediamgrs.jar, in /usr/var.
Also look for an 'autostart' file in the ~/.config/autostart likely named mediamgrs.desktop.

User avatar
Pjotr
Level 20
Level 20
Posts: 10780
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by Pjotr » Sat Jan 27, 2018 5:37 am

How dangerous is this threat *in real life*? Given the fact that Java has been disabled by default in Firefox....

If I understand correctly, this can only become a risk when you *install* something from outside the official repo's. Yeah, well, you shouldn't do that anyway. <shrug>
Tip: 10 things to do after installing Linux Mint 19 Tara
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
catweazel
Level 17
Level 17
Posts: 7068
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by catweazel » Sat Jan 27, 2018 5:58 am

uberdorf wrote:I found this result which I don't understand

Code: Select all

scott     7172  0.0  0.0  14224   920 pts/1    S+   02:54   0:00 grep --color=auto mediamgrs.jar
From the lines directly above the command:
Q: How can I tell if I’m infected with CrossRAT?

A: First check to see if there is an instance of Java is running, that’s executing mediamgrs.jar.
If that shows up, Java is running.
Caution: Dancing Wu Li Master and Official curmudgeon-in-chief

uberdorf
Level 4
Level 4
Posts: 232
Joined: Tue Sep 01, 2015 10:15 am

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by uberdorf » Sat Jan 27, 2018 9:40 am

uberdorf wrote:Apparently it is java malware that queries the OS and then attempts persistence. Most of us have openjdk. They call it undetectable because it is new enough for it have a definition yet on most scanners. However it leaves behind some traces that can be found manually. https://digitasecurity.com/blog/2018/01/23/crossrat/

The command

Code: Select all

ps aux | grep mediamgrs.jar
is supposed to say if it is running. I'm on my son's kubuntu computer right now (which is mainly used for modded minecraft (java) and youtube) and I found this result which I don't understand

Code: Select all

scott     7172  0.0  0.0  14224   920 pts/1    S+   02:54   0:00 grep --color=auto mediamgrs.jar
I believe the ps aux command is not correct because it will output random words I entered. It should be

Code: Select all

ps -A | grep mediamgrs.jar

User avatar
thx-1138
Level 6
Level 6
Posts: 1094
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by thx-1138 » Sat Jan 27, 2018 10:25 am

...well, first things first: 'Undetectable' it ain't now for sure.
The discovery / article was published in 23 January. Merely 4 days later, and half the AV industry detects it:
https://www.virustotal.com/#/file/15af5 ... /detection

Secondly...this is a report of the sample in question from 25 January:
https://www.hybrid-analysis.com/sample/ ... af705afb0f
You will probably notice that it uses the JNativeHook library for it's keylogging activities:
https://github.com/kwhat/jnativehook
Bit of googling around...and, here's a different sample Java-based keylogger from 13 November (win only):
https://www.hybrid-analysis.com/sample/ ... 28fc2bfc00
However, it also (mis-)uses the very same JNativeHook library.

So, besides the fact that they bothered themselves adding some cross-platform detection, i really don't see anything that much special about it. There have been cross-platform viruses since late 90s...let alone that they didn't even needed Java to be installed at the first place. Script-kiddies i wouldn't necessary call them, but certainly nothing to make me go 'wow'...Nice that this specific sample was discovered however obviously.

If i was to actually further comment on something, that would be...good luck (and patience) to JNativeHook's author: if his library is currently being misused my malware authors as seen above, it won't really take long until he will start receiving frequent complaints for false positives from AV products every now & then....

User avatar
sevendogs
Level 1
Level 1
Posts: 27
Joined: Sun Feb 05, 2017 8:38 pm
Location: Texas

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by sevendogs » Thu Feb 01, 2018 11:23 pm

I'm still trying to process Solaris as one of the 4 most popular desktop operating systems...
HP z800 2x6 core Xeon, 96 GB DDR3 5.5TB SSD, Evga 1050Ti 4GB, Mint 18.2 Cinnamon
"Give a man a truth and he will think for a day. Teach a man to reason and he will think for a lifetime"

User avatar
WharfRat
Level 20
Level 20
Posts: 11464
Joined: Thu Apr 07, 2011 8:15 pm

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by WharfRat » Fri Feb 02, 2018 1:15 am

uberdorf wrote:Apparently it is java malware that queries the OS and then attempts persistence. Most of us have openjdk. They call it undetectable because it is new enough for it have a definition yet on most scanners. However it leaves behind some traces that can be found manually. https://digitasecurity.com/blog/2018/01/23/crossrat/

The command

Code: Select all

ps aux | grep mediamgrs.jar
is supposed to say if it is running. I'm on my son's kubuntu computer right now (which is mainly used for modded minecraft (java) and youtube) and I found this result which I don't understand

Code: Select all

scott     7172  0.0  0.0  14224   920 pts/1    S+   02:54   0:00 grep --color=auto mediamgrs.jar
Just so you know your result is the grep command as per the grep --color=auto mediamgrs.jar description :wink:
ImageImage

mram1340
Level 1
Level 1
Posts: 6
Joined: Wed Sep 06, 2017 3:09 am

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by mram1340 » Sat Feb 03, 2018 6:02 am

Bottom line is if you don't know where or who an email came from don't open it and never follow a link in it, even if you do know who it came from be careful. Don't go to weird sites, **** sites and the likes. Dammit there goes all my fun.
Even when I get banking statements I don't click on the links in the mail, I use bookmarks or type it in. Haven't had a virus in a long long time and neither has my PC's.

User avatar
absque fenestris
Level 5
Level 5
Posts: 563
Joined: Sat Nov 12, 2016 8:42 pm
Location: Confoederatio Helvetica

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by absque fenestris » Tue Feb 13, 2018 7:25 am

CrossRAT is a cross-platform remote access Trojan that can target all four popular desktop operating systems, Windows, Solaris, Linux, and macOS, enabling remote attackers to manipulate the file system, take screenshots, run arbitrary executables, and gain persistence on the infected systems.
If I look at this evil rat, that is actually a very accurate description of macOS or Windows :lol:
Linux Mint 18.3 Sylvia (Mate) 32-bit - Acer D250 Netbook (Intel Atom N270, 2 GB RAM, 120 GB SSD)

marcia
Level 3
Level 3
Posts: 112
Joined: Sat Oct 27, 2007 3:34 pm

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by marcia » Tue Feb 13, 2018 1:38 pm

Hi Everyone,

If mediamgrs.jar shows up in your system what can you do to be rid of it?

Will appreciate any suggestions.

Thank you.

User avatar
absque fenestris
Level 5
Level 5
Posts: 563
Joined: Sat Nov 12, 2016 8:42 pm
Location: Confoederatio Helvetica

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by absque fenestris » Tue Feb 13, 2018 9:04 pm

Before mediamgrs.jar shows up in your system make a backup of your private data - then you can decide between repair or setup a new system.
Linux Mint 18.3 Sylvia (Mate) 32-bit - Acer D250 Netbook (Intel Atom N270, 2 GB RAM, 120 GB SSD)

marcia
Level 3
Level 3
Posts: 112
Joined: Sat Oct 27, 2007 3:34 pm

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by marcia » Wed Feb 14, 2018 1:21 pm

Hi,

Thanks very much for the suggestion. If I totally uninstall all java would this make a difference? Now, is not a great time to set up a new system for me. It does not show up in autostart but when I used the suggested command: $ ps aux | grep mediamgrs.jar
xxxxl+ 11681 0.0 0.0 11760 2236 pts/6 S+ 11:18 0:00 grep --colour=auto mediamgrs.jar

If there is another way to be rid of this I would love to know.

Just hoping there is.

Thanks.

User avatar
Portreve
Level 6
Level 6
Posts: 1289
Joined: Mon Apr 18, 2011 12:03 am
Location: Florida
Contact:

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by Portreve » Wed Feb 14, 2018 1:50 pm

I look at this all as an IQ test. If you're that stupid, you probably deserve it.
Everything is in hand. With this tapestry... and with patience, there is nothing one cannot achieve.

No hamsters were harmed in the authoring of this post.

User avatar
thx-1138
Level 6
Level 6
Posts: 1094
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by thx-1138 » Wed Feb 14, 2018 2:03 pm

marcia wrote:
Wed Feb 14, 2018 1:21 pm
It does not show up in autostart but when I used the suggested command: $ ps aux | grep mediamgrs.jar
xxxxl+ 11681 0.0 0.0 11760 2236 pts/6 S+ 11:18 0:00 grep --colour=auto mediamgrs.jar
That command, as already said above, is wrong. Use ps ax.

DAMIEN1307
Level 5
Level 5
Posts: 971
Joined: Tue Feb 21, 2017 8:13 pm
Location: Alamogordo, New Mexico

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by DAMIEN1307 » Wed Feb 14, 2018 5:00 pm

am i missing something here?...this looks like a totally normal java mediamgrs.jar response to me...i dont open attachments in email and i use no other "social" things except this forum...most of this thread is not making any sense to me...a "tempest in a tea cup?"...DAMIEN

damien@DAMIEN ~ $ ps ax | grep mediamgrs.jar
3927 pts/0 S+ 0:00 grep --colour=auto mediamgrs.jar
damien@DAMIEN ~ $
ORDO AB CHAO

Post Reply

Return to “Chat about Linux”