Unlike less invasive forms of malware, CrossRAT is part of a global espionage campaign backed by a government-supported dark web cyber gang.
CrossRAT came to light when a report was published by the Electronic Frontier Foundation (EFF) and Lookout Security. It uncovered evidence that the CrossRAT virus was either created by or for a group known as the Dark Caracal.
According to some reports, the groups activities are believed to be linked to the Lebanese government's General Directorate of General Security (GDGS), the countries main foreign intelligence agency. Although accounts differ whether this is apparently a rogue employee or the GDGS is or was actively directing the activities of Dark Caracal. One of the IP addresses traces the group to a building near a GDGS office in Beirut, Lebanon. It is unknown whether Dark Caracal are acting on behalf of other hostile nations, or whether this global spying cyber attack is a cover for other forms of hostile cyber activity.
What is CrossRAT?
Although state-sponsored cyber attacks, spying and terrorism is nothing new, the scale and scope of this malware is something that many cyber analysts have commented on. It has also demonstrated a level of sophistication that demonstrates how quickly cyber criminals can keep up with evolving internet trends and platforms.
On behalf of the GDGS, Major General Abbas Ibrahim denied any involvement with Dark Caracal or any connection to the global CrossRAT malware.
According to The Verge, the “tactics are similar to previous government-linked spyware campaigns, targeting individuals through spear phishing or watering hole attacks, then using malware implants to quietly siphon data from their phones.”
During the six months the cyber attacks were being tracked, it was found that six separate campaigns were taking place in Germany, Pakistan, and Venezuela. The EEF also connects these attacks to a similar 2015 involving a different, albeit similar form of malware targeting dissidents in Kazakhstan. This leads some analysts to speculate that these campaigns are “part of a new kind of spyware service, one that contracts jobs by the target rather than selling tools outright.” A digital spy for hire, rather than one operating on behalf of any government in particular.
Mac users who’ve been tricked into downloading the virus are directed to unsafe cyber-criminal controlled websites through links on Facebook, WhatsApp and other social networks and messaging platforms, including Slack and Whisper.
CrossRAT virus is typically distributed via Java software that bears a malicious component named mediamgrs.jar.
Once the Remote Access Trojan (RAT) has been downloaded, it can manipulate security settings, copy files and data, take screenshots, record audio and video, and it can stay on your Mac for months without being detected. It is a persistent problem for Mac users who've been infected with CrossRAT malware. It may not be obvious that your Mac has been infected. Malware doesn't always present with symptoms or strange behavior; therefore, you run the risk of unwittingly sending your data to a cyber criminal gang without realising malware has infected your Mac.
However, one saving grace is that CrossRAT is written in Java, which thankfully made it easier for security experts to detect and reverse engineer the virus.
How to check if your Mac is infected
One way to see if you are infected is to look inside your Library folder. You can access it by clicking Finder > Go > Go to Folder...
Now, copy-paste the following locations:
Check for a jar file, mediamgrs.jar, in ~/Library.
Look for the launch agent named mediamgrs.plist.
Repeat the last step for /Library/LaunchAgents
Another upside, as far as Mac users are concerned is that it requires Java to be enabled so that it works. As one security expert pointed out, “Luckily recent versions of macOS do not ship with Java. most macOS users should be safe! Of course, if a Mac user already has Java installed, or the attacker is able to coerce a naive user to install Java first, CrossRAT will run just dandy, even on the latest version of macOS (High Sierra).”
How to remove CrossRAT?
One way would be to uninstall Java, if you’ve ever installed it or are using a Mac that is old enough to still have it built-into the system.
Another way is to search manually - as we mentioned above - those are the first places you should look. After checking those files, it is worth searching in every library and directory for anything that seems out of place. Especially if you’ve gone to any websites you aren't sure of, or felt weren't secure after following a link from Facebook, WhatsApp or another social network.
It can take hours of work to manually search everywhere the executables for CrossRAT could be hiding.
Instead of going the manual route, the most effective way to safely eliminate this is to download CleanMyMac X (the majority of antivirus softwares can’t detect CrossRAT).
The quickest way: Destroy CrossRAT with an app
Recommended by some tech experts, like legendary Bob LeVitus, a.k.a. Dr Mac, CleanMyMac app has been shown to effectively combat viruses on macOS. It scans and neutralizes lots of recently discovered malwares, like BlackHole virus or CrossRAT. Additionally, it clears out years worth of junk and unseen apps you didn’t even know you had on your Mac.
To remove CrossRAT using CleanMyMac X:
- Download CleanMyMac X (a link to free edition of the app)
- Use the Malware Removal tool;
- Click Scan so that it scans for every known virus, including CrossRAT
- If your Mac has an infection, this will show up
Now CleanMyMac X can safely remove every virus, malware and anything else that is causing your Mac problems.
Note: A free version of the app allows to scan your Mac for DOK malware for free.
CrossRAT is almost certainly the work of a hostile government, trapping targets and innocent people as it moves across the web. Very difficult to detect. And not easy to remove, either. With an application of effort or the right app, you can find and remove this nasty trojan.