{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/mac-os-x/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Mac OS X"],"_cs_severities":["high"],"_cs_tags":["crossrat","rat","persistence","surveillanceware"],"_cs_type":"advisory","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eCrossRAT is a cross-platform implant discovered by the EFF/Lookout and analyzed by Objective-See. Written in Java, this malware targets Windows, macOS, and Linux systems. The malware sample analyzed was named \u0026lsquo;hmar6.jar\u0026rsquo;. CrossRAT possesses capabilities such as manipulating the file system, capturing screenshots, and running arbitrary DLLs on Windows systems for secondary infection. It focuses on establishing persistence on infected systems to ensure continued access. The malware gathers OS-specific information to tailor its actions on the compromised host and communicate effectively with its command and control server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe malware, typically a JAR file (e.g., hmar6.jar), is executed on the target system, requiring Java Runtime Environment.\u003c/li\u003e\n\u003cli\u003eCrossRAT identifies the operating system (Windows, macOS, or Linux) using \u003ccode\u003eSystem.getProperty(\u0026quot;os.name\u0026quot;)\u003c/code\u003e and OS-specific commands like \u003ccode\u003e/usr/bin/sw_vers\u003c/code\u003e on macOS or examining \u003ccode\u003e/etc/os-release\u003c/code\u003e on Linux.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence. On macOS, it creates a Launch Agent in \u003ccode\u003e/Library/LaunchAgents/\u003c/code\u003e or \u003ccode\u003e/Users/\u0026lt;user\u0026gt;/Library/LaunchAgents/\u003c/code\u003e, writing a plist file.\u003c/li\u003e\n\u003cli\u003eThe Launch Agent plist configures the system to execute the malware (java -jar \u0026lt;malware.jar\u0026gt;) upon system startup via the \u0026ldquo;RunAtLoad\u0026rdquo; key.\u003c/li\u003e\n\u003cli\u003eThe malware gathers system information, including OS version, kernel build, and architecture, by executing commands such as \u003ccode\u003euname -a\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eCrossRAT establishes communication with its command and control (C2) server to receive further instructions.\u003c/li\u003e\n\u003cli\u003eBased on the instructions from the C2, CrossRAT manipulates the file system, takes screenshots, or executes arbitrary DLLs (on Windows).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCrossRAT allows attackers to perform surveillance activities on infected systems. Successful infection enables exfiltration of sensitive data, manipulation of files, and persistent access to the compromised system. The cross-platform nature of CrossRAT enables attackers to target a wide range of victims regardless of their operating system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003ejava -jar\u003c/code\u003e from unusual locations, as this is a common method for launching CrossRAT (see rule: \u0026ldquo;Detect CrossRAT Execution via Java\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eMonitor the creation of new Launch Agents in \u003ccode\u003e/Library/LaunchAgents/\u003c/code\u003e or \u003ccode\u003e/Users/\u0026lt;user\u0026gt;/Library/LaunchAgents/\u003c/code\u003e directories on macOS, specifically those executing JAR files (see rule: \u0026ldquo;Detect CrossRAT macOS Persistence\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eInspect network connections originating from Java processes for suspicious command and control traffic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:31:00Z","date_published":"2024-01-03T17:31:00Z","id":"/briefs/2024-01-crossrat/","summary":"CrossRAT is a Java-based, multi-platform surveillance tool targeting Windows, macOS, and Linux systems, capable of file system manipulation, screenshot capture, and persistence.","title":"CrossRAT Multi-Platform Surveillanceware Analysis","url":"https://feed.craftedsignal.io/briefs/2024-01-crossrat/"}],"language":"en","title":"CraftedSignal Threat Feed — Mac OS X","version":"https://jsonfeed.org/version/1.1"}