CrossRAT malware: Protect your Mac

Unlike less invasive forms of malware, CrossRAT is a part of a global espionage campaign backed by a  government-supported dark web cyber gang. Feels like a James Bond movie, right?🙂

CrossRAT came to light when a report was published by the Electronic Frontier Foundation (EFF) and Lookout Security. It uncovered evidence that the CrossRAT virus was created by or for a group known as the Dark Caracal.  

According to some reports, the group’s activities are believed to be linked to the Lebanese government’s General Directorate of General Security (GDGS), the country’s main foreign intelligence agency. Although accounts differ on whether a rogue employee or the GDGS is or was actively directing the activities of Dark Caracal, one of the IP addresses traces the group to a building near a GDGS office in Beirut, Lebanon. It is unknown whether Dark Caracal is acting on behalf of other hostile nations or whether this global spying cyber attack is a cover for other forms of hostile cyber activity.

What is CrossRAT?

Although state-sponsored cyber attacks, spying, and terrorism are nothing new, the scale and scope of this malware is something that many cyber analysts have commented on. It has also demonstrated a level of sophistication that demonstrates how quickly cyber criminals can keep up with evolving internet trends and platforms.

On behalf of the GDGS, Major General Abbas Ibrahim denied any involvement with Dark Caracal or any connection to the global CrossRAT malware.

According to The Verge, the “tactics are similar to previous government-linked spyware campaigns, targeting individuals through spear phishing or watering hole attacks, then using malware implants to quietly siphon data from their phones.”

During the six months the cyber attacks were tracked, it was found that six separate campaigns were taking place in Germany, Pakistan, and Venezuela. The EEF also connects these attacks to a similar 2015 involving a different, albeit similar, form of malware targeting dissidents in Kazakhstan. This leads some analysts to speculate that these campaigns are “part of a new kind of spyware service, one that contracts jobs by the target rather than selling tools outright.” A digital spy for hire rather than one operating on behalf of any government in particular.

Mac users who’ve been tricked into downloading the virus are directed to unsafe cyber-criminal-controlled websites through links on Facebook, WhatsApp, and other social networks and messaging platforms, including Slack and Whisper.

CrossRAT virus is typically distributed via Java software that bears a malicious component named mediamgrs.jar.

Once the Remote Access Trojan (RAT) has been downloaded, it can manipulate security settings, copy files and data, take screenshots, and record audio and video, and it can stay on your Mac for months without being detected. It is a persistent problem for Mac users who’ve been infected with CrossRAT malware. It may not be obvious that your Mac has been infected. Malware doesn’t always present with symptoms or strange behavior; therefore, you run the risk of unwittingly sending your data to a gang of cyber criminals without realizing malware has infected your Mac.

However, one saving grace is that CrossRAT is written in Java, which, thankfully, made it easier for security experts to detect and reverse engineer the virus.

How to check if your Mac is infected

One way to see if you are infected is to look inside your Library folder. You can access it by clicking Finder > Go > Go to Folder... 

Now, copy-paste the following locations:

~/Library
Check for a jar file, mediamgrs.jar, in ~/Library.

~/Library/LaunchAgents
Look for the launch agent named mediamgrs.plist.

Repeat the last step for /Library/LaunchAgents

Another upside, as far as Mac users are concerned, is that it requires Java to be enabled to make it work. As one security expert pointed out:

“Luckily recent versions of macOS do not ship with Java. most macOS users should be safe! Of course, if a Mac user already has Java installed, or the attacker is able to coerce a naive user to install Java first, CrossRAT will run just dandy, even on the latest version of macOS.”

How to remove CrossRAT?

One way would be to uninstall Java if you’ve ever installed it or are using a Mac that is old enough to still have it built into the system. 

Another way is to search manually — as we mentioned above, those are the first places you should look. After checking those files, it is worth searching in every library and directory for anything that seems out of place. Especially if you’ve gone to any websites you aren’t sure of or felt weren’t secure after following a link from Facebook, WhatsApp, or another social network.

It can take hours of work to manually search everywhere the executables for CrossRAT could be hiding.

Instead of going the manual route, the most effective way to safely eliminate this is to download CleanMyMac X (most antivirus software can’t detect CrossRAT).

The quickest way: Destroy CrossRAT with an app

Recommended by some tech experts, like legendary Bob LeVitus, a.k.a. Dr. Mac, CleanMyMac X has been shown to effectively combat viruses on macOS. It scans and neutralizes lots of recently discovered malware, like the BlackHole virus or CrossRAT. Additionally, it clears out years’ worth of junk and unseen apps you didn’t even know you had on your Mac.

To remove CrossRAT using CleanMyMac X:

1. Download CleanMyMac X (a link to free download).
2. Use the Malware Removal tool.
3. Click Scan so that it scans for every known virus, including CrossRAT.
4. If your Mac has an infection, this will show up.

Now CleanMyMac X can safely remove every virus, malware, and anything else that is causing your Mac problems.

CrossRAT is almost certainly the work of a hostile government, trapping targets and innocent people as it moves across the web. It is very difficult to detect and not easy to remove, either. With an application of effort or the right app, you can find and remove this nasty trojan.