Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Chat about Linux in general
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 6 months after creation.
Locked
phd21
Level 20
Level 20
Posts: 10103
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by phd21 »

Hi Everyone,

In case you did not know ...

Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems
https://thehackernews.com/2018/01/crossrat-malware.html
CrossRAT is a cross-platform remote access Trojan that can target all four popular desktop operating systems, Windows, Solaris, Linux, and macOS, enabling remote attackers to manipulate the file system, take screenshots, run arbitrary executables, and gain persistence on the infected systems.

According to researchers, Dark Caracal hackers do not rely on any "zero-day exploits" to distribute its malware; instead, it uses basic social engineering via posts on Facebook groups and WhatsApp messages, encouraging users to visit hackers-controlled fake websites and download malicious applications.
Hope this helps ...
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Phd21: Mint 20 Cinnamon & xKDE (Mint Xfce + Kubuntu KDE) & KDE Neon 64-bit (new based on Ubuntu 20.04) Awesome OS's, Dell Inspiron I5 7000 (7573) 2 in 1 touch screen, Dell OptiPlex 780 Core2Duo E8400 3GHz,4gb Ram, Intel 4 Graphics.
User avatar
Amii_Leigh
Level 5
Level 5
Posts: 724
Joined: Fri Mar 25, 2016 10:58 pm
Location: Somewhere in the middle of nowhere, Missouri

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by Amii_Leigh »

I guess this was bound to happen eventually. I'm *so* glad I don't use 'social' media! :)
नमस्ते = Namaste
I honor the place in you in which the entire universe dwells.
I honor the place in you in which is of love, of truth, of light, and of peace.
When you are in that place in you, and I am in that place in me, we are one.
User avatar
catweazel
Level 19
Level 19
Posts: 9763
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by catweazel »

Amii_Leigh wrote:I guess this was bound to happen eventually. I'm *so* glad I don't use 'social' media! :)
Social engineering is often performed via email, so it's not social media specific.
"There is, ultimately, only one truth -- cogito, ergo sum -- everything else is an assumption." - Me, my swansong.
Citizen229

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by Citizen229 »

At first glance this is not new. Downloading malicious software has always been around, as well as the vulnerabilities in web browsers. People clicking bad links and install packages is also not new.
BigEasy
Level 6
Level 6
Posts: 1282
Joined: Mon Nov 24, 2014 9:17 am
Location: Chrząszczyżewoszyce, powiat Łękołody

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by BigEasy »

phd21 wrote:Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems
https://thehackernews.com/2018/01/crossrat-malware.html
Why Undetectable? Detetable and perfectly.
Windows assumes I'm stupid but Linux demands proof of it
uberdorf

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by uberdorf »

Apparently it is java malware that queries the OS and then attempts persistence. Most of us have openjdk. They call it undetectable because it is new enough for it have a definition yet on most scanners. However it leaves behind some traces that can be found manually. https://digitasecurity.com/blog/2018/01/23/crossrat/

The command

Code: Select all

ps aux | grep mediamgrs.jar
is supposed to say if it is running. I'm on my son's kubuntu computer right now (which is mainly used for modded minecraft (java) and youtube) and I found this result which I don't understand

Code: Select all

scott     7172  0.0  0.0  14224   920 pts/1    S+   02:54   0:00 grep --color=auto mediamgrs.jar
From the above linked site, you can also look at
Linux:
Check for jar file, mediamgrs.jar, in /usr/var.
Also look for an 'autostart' file in the ~/.config/autostart likely named mediamgrs.desktop.
User avatar
Pjotr
Level 23
Level 23
Posts: 19879
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland) 🇳🇱
Contact:

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by Pjotr »

How dangerous is this threat *in real life*? Given the fact that Java has been disabled by default in Firefox....

If I understand correctly, this can only become a risk when you *install* something from outside the official repo's. Yeah, well, you shouldn't do that anyway. <shrug>
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
User avatar
catweazel
Level 19
Level 19
Posts: 9763
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by catweazel »

uberdorf wrote:I found this result which I don't understand

Code: Select all

scott     7172  0.0  0.0  14224   920 pts/1    S+   02:54   0:00 grep --color=auto mediamgrs.jar
From the lines directly above the command:
Q: How can I tell if I’m infected with CrossRAT?

A: First check to see if there is an instance of Java is running, that’s executing mediamgrs.jar.
If that shows up, Java is running.
"There is, ultimately, only one truth -- cogito, ergo sum -- everything else is an assumption." - Me, my swansong.
uberdorf

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by uberdorf »

uberdorf wrote:Apparently it is java malware that queries the OS and then attempts persistence. Most of us have openjdk. They call it undetectable because it is new enough for it have a definition yet on most scanners. However it leaves behind some traces that can be found manually. https://digitasecurity.com/blog/2018/01/23/crossrat/

The command

Code: Select all

ps aux | grep mediamgrs.jar
is supposed to say if it is running. I'm on my son's kubuntu computer right now (which is mainly used for modded minecraft (java) and youtube) and I found this result which I don't understand

Code: Select all

scott     7172  0.0  0.0  14224   920 pts/1    S+   02:54   0:00 grep --color=auto mediamgrs.jar
I believe the ps aux command is not correct because it will output random words I entered. It should be

Code: Select all

ps -A | grep mediamgrs.jar
User avatar
thx-1138
Level 8
Level 8
Posts: 2092
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by thx-1138 »

...well, first things first: 'Undetectable' it ain't now for sure.
The discovery / article was published in 23 January. Merely 4 days later, and half the AV industry detects it:
https://www.virustotal.com/#/file/15af5 ... /detection

Secondly...this is a report of the sample in question from 25 January:
https://www.hybrid-analysis.com/sample/ ... af705afb0f
You will probably notice that it uses the JNativeHook library for it's keylogging activities:
https://github.com/kwhat/jnativehook
Bit of googling around...and, here's a different sample Java-based keylogger from 13 November (win only):
https://www.hybrid-analysis.com/sample/ ... 28fc2bfc00
However, it also (mis-)uses the very same JNativeHook library.

So, besides the fact that they bothered themselves adding some cross-platform detection, i really don't see anything that much special about it. There have been cross-platform viruses since late 90s...let alone that they didn't even needed Java to be installed at the first place. Script-kiddies i wouldn't necessary call them, but certainly nothing to make me go 'wow'...Nice that this specific sample was discovered however obviously.

If i was to actually further comment on something, that would be...good luck (and patience) to JNativeHook's author: if his library is currently being misused my malware authors as seen above, it won't really take long until he will start receiving frequent complaints for false positives from AV products every now & then....
sevendogs

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by sevendogs »

I'm still trying to process Solaris as one of the 4 most popular desktop operating systems...
WharfRat

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by WharfRat »

uberdorf wrote:Apparently it is java malware that queries the OS and then attempts persistence. Most of us have openjdk. They call it undetectable because it is new enough for it have a definition yet on most scanners. However it leaves behind some traces that can be found manually. https://digitasecurity.com/blog/2018/01/23/crossrat/

The command

Code: Select all

ps aux | grep mediamgrs.jar
is supposed to say if it is running. I'm on my son's kubuntu computer right now (which is mainly used for modded minecraft (java) and youtube) and I found this result which I don't understand

Code: Select all

scott     7172  0.0  0.0  14224   920 pts/1    S+   02:54   0:00 grep --color=auto mediamgrs.jar
Just so you know your result is the grep command as per the grep --color=auto mediamgrs.jar description :wink:
mram1340

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by mram1340 »

Bottom line is if you don't know where or who an email came from don't open it and never follow a link in it, even if you do know who it came from be careful. Don't go to weird sites, <violates forum rules> sites and the likes. Dammit there goes all my fun.
Even when I get banking statements I don't click on the links in the mail, I use bookmarks or type it in. Haven't had a virus in a long long time and neither has my PC's.
User avatar
absque fenestris
Level 12
Level 12
Posts: 4124
Joined: Sat Nov 12, 2016 8:42 pm
Location: Confoederatio Helvetica

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by absque fenestris »

CrossRAT is a cross-platform remote access Trojan that can target all four popular desktop operating systems, Windows, Solaris, Linux, and macOS, enabling remote attackers to manipulate the file system, take screenshots, run arbitrary executables, and gain persistence on the infected systems.
If I look at this evil rat, that is actually a very accurate description of macOS or Windows :lol:
marcia
Level 3
Level 3
Posts: 181
Joined: Sat Oct 27, 2007 3:34 pm

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by marcia »

Hi Everyone,

If mediamgrs.jar shows up in your system what can you do to be rid of it?

Will appreciate any suggestions.

Thank you.
User avatar
absque fenestris
Level 12
Level 12
Posts: 4124
Joined: Sat Nov 12, 2016 8:42 pm
Location: Confoederatio Helvetica

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by absque fenestris »

Before mediamgrs.jar shows up in your system make a backup of your private data - then you can decide between repair or setup a new system.
marcia
Level 3
Level 3
Posts: 181
Joined: Sat Oct 27, 2007 3:34 pm

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by marcia »

Hi,

Thanks very much for the suggestion. If I totally uninstall all java would this make a difference? Now, is not a great time to set up a new system for me. It does not show up in autostart but when I used the suggested command: $ ps aux | grep mediamgrs.jar
xxxxl+ 11681 0.0 0.0 11760 2236 pts/6 S+ 11:18 0:00 grep --colour=auto mediamgrs.jar

If there is another way to be rid of this I would love to know.

Just hoping there is.

Thanks.
User avatar
Portreve
Level 13
Level 13
Posts: 4882
Joined: Mon Apr 18, 2011 12:03 am
Location: Within 20,004 km of YOU!
Contact:

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by Portreve »

I look at this all as an IQ test. If you're that stupid, you probably deserve it.
Flying this flag in support of freedom 🇺🇦

Recommended keyboard layout: English (intl., with AltGR dead keys)

Podcasts: Linux Unplugged, Destination Linux

Also check out Thor Hartmannsson's Linux Tips YouTube Channel
User avatar
thx-1138
Level 8
Level 8
Posts: 2092
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by thx-1138 »

marcia wrote: Wed Feb 14, 2018 1:21 pm It does not show up in autostart but when I used the suggested command: $ ps aux | grep mediamgrs.jar
xxxxl+ 11681 0.0 0.0 11760 2236 pts/6 S+ 11:18 0:00 grep --colour=auto mediamgrs.jar
That command, as already said above, is wrong. Use ps ax.
DAMIEN1307

Re: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Post by DAMIEN1307 »

am i missing something here?...this looks like a totally normal java mediamgrs.jar response to me...i dont open attachments in email and i use no other "social" things except this forum...most of this thread is not making any sense to me...a "tempest in a tea cup?"...DAMIEN

damien@DAMIEN ~ $ ps ax | grep mediamgrs.jar
3927 pts/0 S+ 0:00 grep --colour=auto mediamgrs.jar
damien@DAMIEN ~ $
Locked

Return to “Chat about Linux”