Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

Are you using Linux or Mac OS? If you think your system is not prone to viruses, then you should read this.

Wide-range of cybercriminals are now using a new piece of 'undetectable' spying malware that targets Windows, macOS, Solaris and Linux systems.

Just last week we published a detailed article on the report from EFF/Lookout that revealed a new advanced persistent threat (APT) group, called Dark Caracal, engaged in global mobile espionage campaigns.

Although the report revealed about the group's successful large-scale hacking operations against mobile phones rather than computers, it also shed light on a new piece of cross-platform malware called CrossRAT (version 0.1), which is believed to be developed by, or for, the Dark Caracal group.

CrossRAT is a cross-platform remote access Trojan that can target all four popular desktop operating systems, Windows, Solaris, Linux, and macOS, enabling remote attackers to manipulate the file system, take screenshots, run arbitrary executables, and gain persistence on the infected systems.

According to researchers, Dark Caracal hackers do not rely on any "zero-day exploits" to distribute its malware; instead, it uses basic social engineering via posts on Facebook groups and WhatsApp messages, encouraging users to visit hackers-controlled fake websites and download malicious applications.

CrossRAT is written in Java programming language, making it easy for reverse engineers and researchers to decompile it.

Since at the time of writing only two out of 58 popular antivirus solutions (according to VirusTotal) can detect CrossRAT, ex-NSA hacker Patrick Wardle decided to analyse the malware and provide a comprehensive technical overview including its persistence mechanism, command and control communication as well as its capabilities.

CrossRAT 0.1 — Cross-Platform Persistent Surveillance Malware

Once executed on the targeted system, the implant (hmar6.jar) first checks the operating system it's running on and then installs itself accordingly.

Besides this, the CrossRAT implant also attempts to gather information about the infected system, including the installed OS version, kernel build and architecture.

Moreover, for Linux systems, the malware also attempts to query systemd files to determine its distribution, like Arch Linux, Centos, Debian, Kali Linux, Fedora, and Linux Mint, among many more.

CrossRAT then implements OS specific persistence mechanisms to automatically (re)executes whenever the infected system is rebooted and register itself to the C&C server, allowing remote attackers to send command and exfiltrate data.

As reported by Lookout researchers, CrossRAT variant distributed by Dark Caracal hacking group connects to 'flexberry(dot)com' on port 2223, whose information is hardcoded in the 'crossrat/k.class' file.

CrossRAT Includes Inactive Keylogger Module

The malware has been designed with some basic surveillance capabilities, which get triggered only when received respective predefined commands from the C&C server.

Interestingly, Patrick noticed that the CrossRAT has also been programmed to use 'jnativehook,' an open-source Java library to listen to keyboard and mouse events, but the malware does not have any predefined command to activate this keylogger.

"However, I didn’t see any code within that implant that referenced the jnativehook package—so at this point it appears that this functionality is not leveraged? There may be a good explanation for this. As noted in the report, the malware identifies it’s version as 0.1, perhaps indicating it’s still a work in progress and thus not feature complete," Patrick said.

How to Check If You're Infected with CrossRAT?

Since CrossRAT persists in an OS-specific manner, detecting the malware will depend on what operating system you are running.

For Windows:

• Check the 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\' registry key.
• If infected it will contain a command that includes, java, -jar and mediamgrs.jar.

For macOS:

• Check for jar file, mediamgrs.jar, in ~/Library.
• Also look for launch agent in /Library/LaunchAgents or ~/Library/LaunchAgents named mediamgrs.plist.

For Linux:

• Check for jar file, mediamgrs.jar, in /usr/var.
• Also look for an 'autostart' file in the ~/.config/autostart likely named mediamgrs.desktop.

How to Protect Against CrossRAT Trojan?

Only 2 out of 58 antivirus products detect CrossRAT at the time of writing, which means that your AV would hardly protect you from this threat.

"As CrossRAT is written in Java, it requires Java to be installed. Luckily recent versions of macOS do not ship with Java," Patrick said.

"Thus, most macOS users should be safe! Of course, if a Mac user already has Java installed, or the attacker is able to coerce a naive user to install Java first, CrossRAT will run just dandy, even on the latest version of macOS (High Sierra)."

Users are advised to install behaviour-based threat detection software. Mac users can use BlockBlock, a simple utility developed by Patrick that alerts users whenever anything is persistently installed.

Someone Stole Almost Half a BILLION Dollars from Japanese Cryptocurrency Exchange

Coincheck, a Tokyo-based cryptocurrency exchange, has suffered what appears to be the biggest hack in the history of cryptocurrencies, losing $532 million in digital assets (nearly $420 million in NEM tokens and $112 in Ripples).

In 2014, Mt Gox, one of the largest bitcoin exchange at that time, filed for bankruptcy after admitting it had lost $450 million worth of Bitcoins.

Apparently, the cryptocurrency markets reacted negatively to the news, which resulted in 5% drop in Bitcoin price early this morning.

In a blog post published today, the Tokyo-based cryptocurrency exchange confirmed the cyber heist without explaining how the tokens were stolen, and abruptly froze most of its services, including deposits, withdrawals and trade of almost all cryptocurrencies, except Bitcoin.

Coincheck also said the exchange had even stopped deposits into NEM cryptocurrencies, which resulted in 16.5% drop in NEM coin value, as well as other deposit methods including credit cards.

During a late-night press conference at the Tokyo Stock Exchange, Coincheck Inc. co-founder Yusuke Otsuka also said that over 500 million NEM tokens (then worth around $420 million) were taken from Coincheck's digital wallets on Friday, but the company didn’t know how the tokens went missing, according to new source Asahi.

The digital-token exchange has already reported the incident to the law enforcement authorities and to Japan's Financial Services Agency to investigate the cause of the missing tokens.

"We will report on the damage situation and cause of the case, measures to prevent recurrence, but first we would like you to take every possible measure to protect our customers," said Executives of the Financial Services Agency (translated).

This incident marks yet another embarrassing hack in the world of digital currency technology, once again reminding us that the volatility in cryptocurrency prices is not going away anytime soon.

So far, the exchange has not provided any official statement regarding the cause of this hack. We will keep you updated about this incident. Stay Tuned!

15-Year-Old Schoolboy Posed as CIA Chief to Hack Highly Sensitive Information

Remember "Crackas With Attitude"?

A notorious pro-Palestinian hacking group behind a series of embarrassing hacks against United States intelligence officials and leaked the personal details of 20,000 FBI agents, 9,000 Department of Homeland Security officers, and some number of DoJ staffers in 2015.

Believe or not, the leader of this hacking group was just 15-years-old when he used "social engineering" to impersonate CIA director and unauthorisedly access highly sensitive information from his Leicestershire home, revealed during a court hearing on Tuesday.

Kane Gamble, now 18-year-old, the British teenager hacker targeted then CIA director John Brennan, Director of National Intelligence James Clapper, Secretary of Homeland Security Jeh Johnson, FBI deputy director Mark Giuliano, as well as other senior FBI figures.

Between June 2015 and February 2016, Gamble posed as Brennan and tricked call centre and helpline staff into giving away broadband and cable passwords, using which the team also gained access to plans for intelligence operations in Afghanistan and Iran.

The teenager also taunted his victims and their families, released their personal details, bombarded them with calls and messages, downloaded and installed pornography onto their computers and took control of their iPads and TV screens.

He also made hoax calls to Brennan's home and took control of his wife’s iPad.

At one point, Gamble also sent DHS secretary Johnson a photograph of his daughter and said he would f*** her, phoned his wife, leaving a voicemail message which said: "Hi Spooky, am I scaring you?," and even managed to get the message "I own you" on the couple's home television.

Gamble was arrested in February 2016 at his council home in Coalville and last October he pleaded guilty to 8 charges of "performing a function with intent to secure unauthorised access" and 2 charges of "unauthorised modification of computer material."

Gamble said he targeted the US government because he was "getting more and more annoyed about how corrupt and cold-blooded the US Government" was and "decided to do something about it."

Gamble's defence said he was technically gifted but emotionally immature and has an autistic spectrum disorder, at the time of his offending, he had the mental development of a 12 or 13-year-old.

Also, the defence said, at no point did Gamble attempt to profit from his actions.

Out of 10 counts, Gamble previously admitted 8 charges of performing a function with intent to secure unauthorised access.

The teenager will be sentenced when the hearing resumes at a later date.

Two other members of Crackas With Attitude hacking group, Andrew Otto Boggs and Justin Gray Liverman, were arrested by FBI in September 2016 and had already been sentenced to five years in federal prison.

Over 711 Million Email Addresses Exposed From SpamBot Server

A massive database of 630 million email addresses used by a spambot to send large amounts of spam to has been published online in what appears to be one of the biggest data dumps of its kind.

A French security researcher, who uses online handle Benkow, has spotted the database on an "open and accessible" server containing a vast amount of email addresses, along with millions of SMTP credentials from around the world.

The database is hosted on the spambot server in Netherlands and is stored without any access controls, making the data publicly available for anyone to access without requiring any password.

According to a blog post published by Benkow, the spambot server, dubbed "Onliner Spambot," has been used to send out spams and spread a banking trojan called Ursnif to users since at least 2016.

Ursnif Banking Trojan is capable of stealing banking information from target computers including credit card data, and other personal information like login details and passwords from browsers and software.

"Indeed, to send spam, the attacker needs a huge list of SMTP credentials. To do so, there are only two options: create it or buy it," Benkow said. "And it's the same as for the IPs: the more SMTP servers he can find, the more he can distribute the campaign."

As the researcher explained, he found "a huge list of valid SMTP credentials"—around 80 millions—which is then used to send out spam emails to the remaining 630 million accounts via internet provider's mail servers, making them look legitimate that bypass anti-spam measures.

The list also contains many email addresses that appear to have been scraped and collected from other data breaches, such as LinkedIn, MySpace and Dropbox.

The researcher was able to identify a list of nearly 2 million email addresses to be originated from a Facebook phishing campaign.

The exposed database has been verified by Troy Hunt, added the leaked email addresses to his breach notification site.

At the time of writing, it is unclear who is behind the Onliner Spambot.

Users can check for their email addresses on the site and those affected are obviously advised to change their passwords (and keep a longer and stronger one this time) for your email accounts and enable two-factor authentication if you haven't yet.

Also, do the same for other online accounts if you are using same passwords on multiple sites.

Hard-coded Password Lets Attackers Bypass Lenovo's Fingerprint Scanner

Lenovo has recently rolled out security patches for a severe vulnerability in its Fingerprint Manager Pro software that could allow leak sensitive data stored by the users.

Fingerprint Manager Pro is a utility for Microsoft Windows 7, 8 and 8.1 operating systems that allows users to log into their fingerprint-enabled Lenovo PCs using their fingers. The software could also be configured to store website credentials and authenticate site via fingerprint.

In addition to fingerprint data, the software also stores users sensitive information like their Windows login credentials—all of which are encrypted using a weak cryptography algorithm.

According to the company, Fingerprint Manager Pro version 8.01.86 and earlier contains a hard-coded password vulnerability, identified as CVE-2017-3762, that made the software accessible to all users with local non-administrative access.

"Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in," the company said in its advisory, giving brief about the vulnerability.

The vulnerability impacts Lenovo ThinkPad, ThinkCentre and ThinkStation laptops, and affects more than two dozen Lenovo ThinkPad models, five ThinkStation Models and eight ThinkCentre models that run Windows 7, 8 and the 8.1 operating systems.

Here's the full list of Lenovo devices compatible with Fingerprint Manager Pro and impacted by the vulnerability:

• ThinkPad L560
• ThinkPad P40 Yoga, P50s
• ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
• ThinkPad W540, W541, W550s
• ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
• ThinkPad X240, X240s, X250, X260
• ThinkPad Yoga 14 (20FY), Yoga 460
• ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
• ThinkStation E32, P300, P500, P700, P900

Lenovo has credited security researcher Jackson Thuraisamy with Security Compass for discovering and responsibly reporting the vulnerability.

The popular Chinese computer manufacturer strongly recommends its ThinkPad customers to update their devices to Fingerprint Manager Pro version 8.01.87 or later to address the issue. You can also head on to the company's official website to do so.

Since Microsoft added native fingerprint reader support with Windows 10 operating system, thus eliminating the need for the Fingerprint Manager Pro software, Lenovo laptops running Windows 10 are not impacted by the vulnerability.

Android Hacking methods

Top Android hacking application:

1. SpoofApp:- SpoofApp is a Caller ID Spoofing, Voice Changing and Call Recording mobile app for your iPhone, BlackBerry and Android phone. It’s a decent mobile app to help protect your privacy on the phone. However, it has been banned from the Play Store for allegedly being in conflict with The Truth in Caller ID Act of 2009.

2. Andosid:- The DOS tool for Android Phones allows security professionals to simulate a DOS attack (an http post flood attack to be exact) and of course a dDOS on a web server, from mobile phones.

3.Faceniff:- Allows you to sniff and intercept web session profiles over the WiFi that your mobile is connected to. It is possible to hijack sessions only when WiFi is not using EAP, but it should work over any private networks.

4.Nmapper:- (Network Mapper) is a security scanner originally written by Gordon Lyon used to discover hosts and services on a computer network, thus creating a “map” of the network. To accomplish its goal, Nmapper sends specially crafted packets to the target host and then analyses the responses.

5. Anti-Android Network Toolkit:-zANTI is a comprehensive network diagnostics toolkit that enables complex audits and penetration tests at the push of a button. It provides cloud-based reporting that walks you through simple guidelines to ensure network safety.

6. SSHDroid:- SSHDroid is a SSH server implementation for Android. This application will let you connect to your device from a PC and execute commands (like “terminal” and “adb shell”) or edit files (through SFTP, WinSCP, Cyberduck, etc).

7. WiFi Analyser:- Turns your android phone into a Wi-Fi analyser. Shows the Wi-Fi channels around you. Helps you to find a less crowded channel for your wireless router.

8. Network Discovery:- Discover hosts and scan their ports in your Wifi network. A great tool for testing your network security.

9. ConnectBot:- ConnectBot is a powerful open-source Secure Shell (SSH) client. It can manage simultaneous SSH sessions, create secure tunnels, and copy/paste between other applications. This client allows you to connect to Secure Shell servers that typically run on UNIX-based servers.

10. dSploit:-Android network analysis and penetration suite offering the most complete and advanced professional toolkit to perform network security assesments on a mobile device.

11. Hackode:- The hacker’s Toolbox is an application for penetration tester, Ethical hackers, IT administrator and Cyber security professional to perform different tasks like reconnaissance, scanning performing exploits etc.

12.Androrat:- Remote Administration Tool for Android. Androrat is a client/server application developed in Java Android for the client side and in Java/Swing for the Server.

13.APKInspector:- APKinspector is a powerful GUI tool for analysts to analyse the Android applications. The goal of this project is to aide analysts and reverse engineers to visualize compiled Android packages and their corresponding DEX code.

14.DroidBox:- DroidBox is developed to offer dynamic analysis of Android applications.

15.Burp Suite:- Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

16. Droid Sheep:- DroidSheep can be easily used by anybody who has an Android device and only the provider of the web service can protect the users. So Anybody can test the security of his account by himself and can decide whether to keep on using the web service.

17. AppUse:– Android Pentest Platform Unified Standalone Environment:- AppSec Labs recently developed the AppUse Virtual Machine. This system is a unique, free, platform for mobile application security testing in the android environment, and it includes unique custom-made tools created by AppSec Labs.

18. Shark for Root:- Traffic sniffer, works on 3G and WiFi (works on FroYo tethered mode too). To open dump use WireShark or similar software, for preview dump on phone use Shark Reader. Based on tcpdump.

19. Fing:- Find out which devices are connected to your Wi-Fi network, in just a few seconds.
Fast and accurate, Fing is a professional App for network analysis. A simple and intuitive interface helps you evaluate security levels, detect intruders and resolve network issues.

20.Drozer:- drozer enables you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ IPC endpoints and the underlying OS. drozer provides tools to help you use and share public Android exploits. It helps you to deploy a drozer agent by using weasel – MWR’s advanced exploitation payload.

21. WifiKill:– Second app, developed also by B.Ponury is an app which can kill connections and kick site-hoggers from the site. This app definitely kick then net user from the site so he cannot use it anymore. The app also offers the list of viewed sites by the hogger.

22. DroidSniff:– Similar to DroidSheep but with a newer and nicer interface is DroidSniff – sniffing app not only for Facebook. This app shows you what is the hogger looking for and then you can “take” his control, steal the cookies and rock’n’roll. Works perfectly.

23. Network Spoofer:– The last app, called NetWork Spoofer is very similar to dSploit but it’s more easier to use. Only hitch is that you need to have at least 500MB of free data. It offers you a lot of troll features – change Google searches, flip images, redirect websites, swap YouTube videos and others.

24. Droid SQLI:- allows you to test your MySQL based web application against SQL injection attacks. DroidSQLi supports the following injection techniques: Time based injection, blind injection, error based injection, normal injection.

25. sqlmapchik:- is a cross-platform sqlmap GUI for the extremely popular sqlmap tool

26. Whatsapp viewer:- is a simple forensic tool. It gives the access to whatsapp chat directly from sqlite databases, even from encrypted databases.

27. WhatsAPI:- Is a platform that allows you to send bulk messages through PHP. The script itself is simple.

Ghost Keylogger- Best one for hidden performance

Would you like to know what people are doing on your computer? Would you feel better to know what your children are doing on the internet? Ghost Keylogger can help you!

Ghost Keylogger is an invisible easy-to-use surveillance tool that records every keystroke to an encrypted log file. The log file can be sent secretly with email to a specified receiver.
Ghost Keylogger also monitors the Internet activity by logging the addresses of visited homepages. It monitors time and title of the active application; even text in edit boxes and message boxes is captured.
Some applications of the keylogger
– Monitor your computer while you are away
– Retrieve lost information
– Parents can monitor their children activity
– Monitor what and when programs are opened
– Find out what you actually wrote
Some features
– Windows 95 / 98 / ME / NT / 2000 / XP compatible
– Invisible (even in the NT / 2000 / XP process list!)
– Send the log file secretly with e-mail
– Customizable key filter
– Encryption of the log file
– Logs the current user and computer name
– Captures passwords and all other hidden text (****)
– Logs the URL’s of the visited homepages
– Keeps track of all programs and times
– Monitors multi-user machines
– Optional hotkeys to bring up the application
– Very configurable
– Easy to deploy
About the demo version
The software can’t run invisibly. No features are disabled.

GIBON Ransomware Decryptor Download

All victims would see the .encrypt extension added to the files processed by the ransomware with the encryption tool. It is basically a meaningless suffix. The relevant software may be unable to render the data due to the inappropriate extension. This is not a big deal, though. The real issue is the encryption that wrecks the data proper. It cycles the contents a number of times. Each cycle is strong enough to withstand a plain brute-forcing. The encryption by GIBON ransomware is thus invulnerable to direct decryption.
While the scrambling by GIBON ransomware is extremely sophistication, the way the virus propagates is rather plain. The crooks are free to choose any propagation tactic, be it a war-driving or a drive-by download. However, there is one scheme that dominates. It is as plain as a blank message spamming. This is also known as the blank slate letter dissemination. The attack is not that plain. The campaign is selective, so it is a targeted spam. Its design provides for that the victim opens a malicious JavaScript attached to the message. Few would do so unless the attachment indicates their personal details. That is to say, the spam, though the body and the subject line are void, contains a zip file attached. Name of this file includes, among other details, email and name of the recipient. This has duped too many users into opening the JS.
The JavaScript drops and installs GIBON ransomware into a preset folder. It also contacts the remote server notifying it of the successful infiltration and basic details of the compromised device. This stage is followed by the scan that defines the data to be encrypted, and the encryption itself.
Once the encryption is over, each item affected has its name extended with .encrypt. Each folder containing such encrypted data also has a notification file. This addresses the user prompting to contact the attacker by email. The attackers are to set the ransom amount in the response to the email from the victim. The sum is payable in Bitcoins.
So far, there is a no master key or another magic wand for ransom-free decryption. Payments to the crooks also do not ensure the data is duly restored. Hopefully, the tips and tools outlined below to recover the data hit by GIBON ransomware to the extent that at least satisfies your basic needs.

Automatic removal of GIBON File Virus

The benefits of using the automatic security suite to get rid of this infection are obvious: it scans the entire system and detects all potential fragments of the virus, so you are a few mouse clicks away from a complete fix.

1. Download and install recommended malware security suite 

  

      2. Select Start Computer Scan feature and wait until the utility comes up with the scan report.   Proceed by clicking on the Fix Threats button, which will trigger a thorough removal process to address all the malware issues compromising your computer and your privacy.

Restore files locked by GIBON File Virus

new Locky variant aka GIBON File Virus represents a unique category of malicious software whose attack surface reaches beyond the operating system and its components, which is why removing the virus itself is a part of the fix only. As it has been mentioned, it encrypts one’s personal information, so the next phase of the overall remediation presupposes reinstating the files that will otherwise remain inaccessible.

• Launch data recovery software

  Similarly to the rest of its fellow-infections, GIBON File Virus most likely follows an operational algorithm where it erases the original versions of the victim’s files and actually encrypts their copies. This peculiarity might make your day, because forensics-focused applications like Data Recovery Pro are capable of restoring the information that has been removed. As the virus further evolves, its modus operandi may be altered – in the meanwhile, go ahead and try this.
  
  
   
  
  

  • Take advantage of Volume Shadow Copy Service

    This technique is based on using the native backup functionality that’s shipped with Windows operating system. Also referred to as Volume Snapshot Service (VSS), this feature makes regular backups of the user’s files and keeps their most recent versions as long as System Restore is on. GIBON File Virus ransomware hasn’t been found to affect these copies therefore the restoration vector in question is strongly recommended. The two sub-sections below highlight the automatic and manual workflow.
  • a) Use Shadow Explorer Shadow Explorer is an applet that provides an easy way of retrieving previous versions of files and folders. Its pro’s include an intuitive interface where the computer’s entire file hierarchy is displayed within one window. Just pick the hard disk volume, select the object or directory to be restored, right-click on it and choose Export. Follow the app’s prompts to get the job done.
  
  
  
  
  
  
  
   b) Use file properties Essentially, what the above-mentioned Shadow Explorer tool does is it automates the process that can otherwise be performed manually via the Properties dialog for individual files. This particular approach is more cumbrous but just as effective as its software-based counterpart, so you can proceed by right-clicking on a specific file, which has been encrypted by GIBON Virus, and selecting Properties in the context menu. The tab named Previous Versions is the next thing to click – it displays available versions of the file by date of the snapshot creation. Pick the latest copy and complete the retrieval by following the prompts.
  
  
  
  
  

• Data backups work wonders

  Ransomware like GIBON Virus isn’t nearly as almighty and destructive in case you run regular file backups to the cloud or external data media. The virus itself can be completely removed in a matter of minutes, and the distorted information can then be just as easily recovered from the backup. Luckily, this is a growing trend, so ransom Trojans are hopefully going to become less subversive in the near future.

Verify thoroughness of the removal

Having carried out the instructions above, add a finishing touch to the security procedure by running an additional computer scan to check for residual malware activity