Last week companies specialized in cyber security discovered the existence of a new Persistent Advanced Threat APT, supposedly sponsored by Dark Caracal, an organization dedicated to espionage. Since 2012, he has performed in 21 countries and has focused on mobile platforms, perhaps because of the large number of Android devices without support that are still in operation.
Recently they have developed a cross-platform remote access RAT Trojan called CrossRAT. It is undetectable and can infect Windows, MacOS, Linux and Solaris. According to a information security expert, among the malicious actions that can be carried out are being able to access remotely to manipulate files of the system, take screenshots, put into operation arbitrary executables and have persistent access to the infected device.
The cyber security researchers say that Dark Caracal does not rely on any zero-day vulnerability, but uses basic social engineering through Facebook groups and WhatsApp messages. CrossRAT is built with Java, so it is easy to decompile it and reverse engineer it.
CrossRAT, implements a file called hmar6.jar to check the operating system used and finish the installation process correctly. Then it tries to gather information about the infected system, including the version, the architecture and the kernel compilation. On Linux systems that use systemd, it is dedicated to consulting the init files to determine the distribution. Most of the popular distributions like, Ubuntu, Fedora, openSUSE, RHEL 7, Arch Linux, Mageia and Manjaro, use systemd.
CrossRAT implements specific mechanisms for each operating system that are executed one or more times to cause a reboot and register the infected computer to the command and control server of Dark Caracal, allowing the attackers to send commands and extract data, this shows that the malware was created for the purpose of surveillance. It connects to the flexberry.com domain through port 2223.
According to information security professionals its surprising that it has no predefined order to activate the keylogger, because the feature cannot be activated, from the command and control server, something that can be justified in that it is still at an early stage of development.