/ SECURITY WATCH

CrossRAT: new malware, dangerous even for macOS

Popular articles

31 / 01 / 2018

CrossRAT: new malware, dangerous even for macOS

Last week, researchers from the Lookout and Electronic Frontier Foundation (EFF) published a security research report* that uncovers Dark Caracal, the global malware espionage group. Its cybercriminals have launched a multi-platform campaign against military personnel, enterprises, health professionals, lawyers, journalists, educational institutions, and activists. This malicious campaign is spreading through a new piece of “undetectable” spyware that targets Windows, macOS, Solaris, and Linux operating systems.

Dark Caracal is known to have been in business for quite a long time. Since 2012, it has affected the private data of users from over 21 countries. What’s more, according to Lookout and EFF, the Dark Caracal group might be state-sponsored, and the governments of Lebanon and Kazakhstan are reported to use malicious tools to track the online behavior of their residents.

CrossRat is the Dark Caracal surveillance tool. It collects a huge list of private information, including text messages, call records, contacts, images, account information, bookmarks and browsing history, installed applications, audio recordings, Wi-Fi details, WhatsApp/Telegram/Skype databases, and more.

According to researchers, Dark Caracal hackers use a typical method of encouraging users to follow links on Facebook and WhatsApp messages. These links lead to hackers-controlled fake websites where users are offered to download a fake security update for WhatsApp, Signal, Threema, Telegram, or Orbot. Users don’t suspect these updates to be malicious.

Once executed on the targeted system, the implant file (hmar6.jar) installs the surveillance tool. Moreover, CrossRAT implant is designed to collect information about the infected system, including the installed OS version, kernel build, and its architecture. With this information, the malicious software allows remote attackers to send commands and extract data.

How to check if your Mac is infected

To detect if your Mac has been infected by CrossRAT, do the following:

  1. Check for the jar file named mediamgrs.jar in ~/Library.

  2. Search for launch agent in ~/Library/LaunchAgents or ~/Library/LaunchAgents named mediamgrs.plist.

What to do to protect yourself

Experts recommend to install the behavior-based threat detection software that would alert whenever anything is covertly installed. Still, the most reliable way is to avoid installing anything malicious on your Mac, and that’s what MacKeeper can help you with. Its security features automatically block malicious websites, securing your Mac both online and offline.

*https://blog.lookout.com/dark-caracal-mobile-apt