Being Java-based, the CrossRAT malware infection can affect Linux systems, as well as Solaris, Mac and Windows. Source: Shutterstock

CrossRAT malware threatens Solaris, Linux, Mac and Windows

A NEW strain of difficult-to-detect malware has been discovered, which affects machine types thought to be more immune than most.

Linux operating systems, as well as Windows, macOS, and Solaris boxes are all prone to infection as the malware was written in Java – the programming language used to create cross-platform applications for those platforms.

MacOS users are at some small advantage as with its latest versions, Java needs to be manually downloaded and installed to run Java apps – whereas it comes as part of many standard installs across the other OSes mentioned.

Rather than be based on a new zero-day exploit, the malware, called CrossRAT, relies on basic social engineering which takes place over WhatsApp messaging and Facebook groups. Users are enticed into visiting certain websites, where they’re coerced into downloading and installing the malware.

The group behind the attack is thought to be Dark Caracal, which hails from Lebanon, and is believed to have used Android malware in the past against journalists and government officials in 21 countries.

As well as presenting their messages down genuine social channels, the group has in the past used fake versions of Telegram and WhatsApp to collect data from victims, who install and use the apps thinking they are genuine.

CrossRAT still evades many types of antivirus software and can manipulate the file system of infected devices, run DLLs on Windows machines, create persistence for itself, and it also has the ability to be a key-stroke logger.

The malware is sophisticated enough to identify infected devices’ kernels in order to work to its fullest efficiency and is able, for instance, to differentiate between “flavors” of Linux: CentOS, Red Hat, Kali etc.

The following may help you to identify if your system is infected:

Check the Registry key at:
If infected, it will contain a command which includes “java”, “-jar” and “mediamgrs.jar”.

Mac OS:
Check for presence of “mediamgrs.jar” in ~/Library.
Also, check for anything with “mediamgrs” in the title of files in /Library/LaunchAgents or ~/Library/LaunchAgents.

Infected systems have “mediamgrs.jar” at /usr/var plus unexpected autostart executables, likely named “mediamgrs.desktop” in ~/.config/autostart.