CrossRAT Multi-Platform Surveillanceware Analysis

CrossRAT is a cross-platform implant discovered by the EFF/Lookout and analyzed by Objective-See. Written in Java, this malware targets Windows, macOS, and Linux systems. The malware sample analyzed was named ‘hmar6.jar’. CrossRAT possesses capabilities such as manipulating the file system, capturing screenshots, and running arbitrary DLLs on Windows systems for secondary infection. It focuses on establishing persistence on infected systems to ensure continued access. The malware gathers OS-specific information to tailor its actions on the compromised host and communicate effectively with its command and control server.

Attack Chain

1. The malware, typically a JAR file (e.g., hmar6.jar), is executed on the target system, requiring Java Runtime Environment.
2. CrossRAT identifies the operating system (Windows, macOS, or Linux) using System.getProperty("os.name") and OS-specific commands like /usr/bin/sw_vers on macOS or examining /etc/os-release on Linux.
3. The malware establishes persistence. On macOS, it creates a Launch Agent in /Library/LaunchAgents/ or /Users/<user>/Library/LaunchAgents/, writing a plist file.
4. The Launch Agent plist configures the system to execute the malware (java -jar <malware.jar>) upon system startup via the “RunAtLoad” key.
5. The malware gathers system information, including OS version, kernel build, and architecture, by executing commands such as uname -a.
6. CrossRAT establishes communication with its command and control (C2) server to receive further instructions.
7. Based on the instructions from the C2, CrossRAT manipulates the file system, takes screenshots, or executes arbitrary DLLs (on Windows).

Impact

CrossRAT allows attackers to perform surveillance activities on infected systems. Successful infection enables exfiltration of sensitive data, manipulation of files, and persistent access to the compromised system. The cross-platform nature of CrossRAT enables attackers to target a wide range of victims regardless of their operating system.

Recommendation

• Monitor process creation events for the execution of java -jar from unusual locations, as this is a common method for launching CrossRAT (see rule: “Detect CrossRAT Execution via Java”).
• Monitor the creation of new Launch Agents in /Library/LaunchAgents/ or /Users/<user>/Library/LaunchAgents/ directories on macOS, specifically those executing JAR files (see rule: “Detect CrossRAT macOS Persistence”).
• Inspect network connections originating from Java processes for suspicious command and control traffic.