I am constantly monitoring the Mac tech world for potential Mac malware. One of the latest attacks sent to us by the “Bad Guys” is the CrossRAT malware. CrossRAT is “cross platform” affecting Windows, Linux and Mac operating systems. It can do bad stuff if it gets onto your machine so lets take a look at it.
CrossRAT is a Java-based backdoor that can be deployed on Windows, Linux and macOS systems. Supposedly, if you are not running any form of Java on your Mac then you cannot get infected with CrossRAT malware. New Macs are not supposed to ship with Java, but I can tell you that many people have some form of Apple or Oracle Java installed on their machines to run several types of software and services.
So, how does CrossRAT get on your Mac?
CrossRAT likely ends up on victim’s systems through social engineering, phishing, and in some cases physical access. The use of Facebook groups and WhatsApp messages are mentioned in the report as well as spear-phishing. It is unknown if fake or infected installers such as Flash Player were used. CrossRAT is Java based, and so infection through a web browser is likely the most common way cybercriminals infect a target. (Intego Newsletter)
It can be installed through a web browser or social apps like Facebook, WhatsApp and of course infected Flash Player installs (naturally). Here is what CrossRAT can do if it gets installed:
- Enumerate root directories on the system
- Enumerate files on the system
- Create blank file on system
- Copy File
- Move file
- Write file contents
- Read file contents
- Heartbeat request
- Get screenshot
That is a lot of bad stuff. You definitely do not want this on your machine. Some Virus/Malware protection Apps are already scanning for this bad boy. But, just to be sure you are not infected, here is what you should do.
To remove CrossRAT malware you need to check in two places on your Mac. Keep in mind, CrossRAT uses the LauchAgent functionality in your OS. First, navigate into the main OS Library. This is not the User Library, we will get to that in a minute. This is on the root level of your Mac hard drive. You will be looking for a file named mediamgrs.plist:
Open your hard drive, click on the Library Folder and then on the LaunchAgents Folder. If mediamgrs.plist is in there select it, hold down the Command Key ⌘ and the Delete Key ⌫. You will have to Authenticate because this is in the System level Library.
Next, go into your User ~Library Folder. If you do not have it showing already, just navigate over to the Finder “Go” menu and select it from the list. Once you have it open in the Finder, you need to look for mediamgrs.jar out in the open in the ~Library Folder. If you find it, Delete it:
Next, scroll down to the LaunchAgents Folder and look for mediamgrs.plist again:
If you find that file, then Delete it. Now, be sure and empty the Trash and do a Restart and all will be well.
There is lots of bad stuff out there that can hurt our Macs. We need to remain ever vigilant in our fight against the computer malware bad guys.