Former NSA hacker Patrick Wardle recently published a detailed analysis of the CrossRAT malware, which is targeting Windows, OSX, and Linux computers and mobile devices worldwide for global surveillance purposes. Wardle’s analysis came on the back of a joint report published last week by security firm Lookout and digital civil rights group the Electronic Frontier Foundation (EFF), publishing information on the activity of a long-standing hacking group known as Dark Caracal, believed to be linked to the Beirut government. Lookout/EFF described the hacking group as an espionage-for-hire ring operating out of the headquarters of Lebanon’s intelligence agency, the General Directorate of General Security (GDGS) in Beirut. This kind of actor represents an emerging global threat, in which hacking groups work for governments and other organizations on a contract basis, and are thus able to wield nation-state-level hacking capabilities.
Lookout/EFF says, “The barrier to entry for cyber-warfare has continued to decrease, which means new nation states — previously without significant offensive capabilities1 — are now able to build and deploy widespread multi-platform cyber-espionage campaigns.”
They added, “Dark Caracal targets include individuals and entities that a nation state might typically attack, including governments, military targets, utilities, financial institutions, manufacturing companies, and defense contractors. We specifically uncovered data associated with military personnel, enterprises, medical professionals, activists, journalists, lawyers, and educational institutions
during this investigation.” The types of stolen data include personally identifiable data and enterprises’ intellectual property, such as documents, call records, audio recordings, secure messaging client content, and contact information. The targets are spread across over 21 countries in North America, Europe, the Middle East and Asia.
The mobile component of the hacking group’s work is one of the first that executes nation-state espionage of this nature on a global scale, rather than limiting itself to the opponents of any one specific country, and primarily attacks individuals’ mobile devices, with a customized attack tool, which Lookout has dubbed Pallas.
The group is leveraging a custom Android malware included in spoof versions of supposedly encrypted messaging apps like WhatsApp and Signal. Lookout’s report points out that compromised software can quickly render that kind of encryption and supposedly watertight infrastructure useless.
CrossRAT (version 0.1) is a remote access Trojan, which can infect multiple types of operating system. At the time of the report, anti-virus software was predominantly failing to identify CrossRAT (only two out of 58 positively detected the malware).
CrossRAT is written in Java, which as Wardle points out means it is “decompilable”, meaning that malware written in Java can be analysed fairly easily. Wardle focuses on the malware’s persistence mechanism (and install location), its C&C communications and its principal features and capabilities. He points out that “not all the logic in the implant can be OS-agnostic”, for instance, persistence is OS-specific. He found that the implant contains OS-specific code that helps in the more precise OS detection. On an infected system, in order to persist, the OS automatically (re) executes the malware whenever the system is rebooted, which requires OS-specific code. CrossRAT also contains logic to persist on Windows machines, similarly ensuring persistence on rebooting the system.
CrossRAT has various features once it has installed itself, including the ability “to manipulate the file system, take screenshots, run arbitrary DLLs for secondary infection on Windows, and gain persistence on the infected system”, according to Lookout and the EFF. They also found that its malicious capabilities are still being developed. Wardle describes Cross-RAT as “fairly feature-complete and able to run on a large number of platforms”. He adds, “Moreover, as noted by the EFF/Lookout the attackers utilizing CrossRAT seem to be both (decently) competent, motivated, and successful.”
Wardle adds some ways to protect oneself from getting infected, noting the EFF/Lookout report’s stress on the attacker’s reliance on social media and phishing attempts to access systems. He also says that most macOS users should be safe as recent versions of macOS do not ship with Java. He advises using anti-virus software, which detects suspicious behaviour, such as persistence.
Google has said it protects devices from the CrossRAT malware and is in the process of taking it off users’ devices. They also said none of the infected versions could be found in its official Google Play store.
Lookout/EFF note that Dark Caracal also deploy desktop malware, including Finfish, “a lawful intercept tool” and a Windows attack tool called Bandook RAT.
The EFF, which describes itself as “the leading non-profit defending digital privacy, free speech, and innovation”, first became aware of Dark Caracal when it was undertaking Operation Manul, an investigation into spying operations against dissidents who had spoken out against the Kazakhstan’s authoritarian government in 2016. Journalists and political activists, in addition to their family members, lawyers and associates were targets of an online phishing and malware campaign the EFF came to believe was carried out on behalf of the Kazakhstan government.
The EFF collaborated with Lookout to investigate more deeply, and working together, they found that the infrastructure deployed by Operation Manul was being used on a global scale for other unrelated activities.
“The team concluded that the same infrastructure is likely shared by multiple actors and is being used in a new set of campaigns,” Lookout/EFF said in the report. “This suggests that Dark Caracal either uses or manages the infrastructure found to be hosting a number of widespread, global cyber-espionage campaigns.”