Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.
Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.
Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.
Note! Your computer might be affected by CrossRAT and other threats.
Threats such as CrossRAT may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files. SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy
Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.
This article has been created in order to explain what is the CrossRAT Trojan Horse infection and how to remove it completely from your computer.
A new, highly dangerous Trojan horse going by the detection Trojan:Java/Trupto has been reported to cause immense harm to Linux, Windows and MacOS computer. The Trojan is a RAT (Remote Access Trojan) type and is dubbed CrossRAT by researchers. The virus is written in JavaScript and it can perform series of dangerous activities on computers once it infects them, ranging from modifying files, writing files, taking screenshots and running DLLs to infect your computer with other viruses. The CrossRAT Trojan has been reported by series of researchers to come onto victim computers via a .jar file via series of methods with very low detection rate. Read this article to learn more about the CrossRAT Trojan plus methods on how to remove it from your computer plus how to secure it against further infections.
Threat Summary
Name
CrossRAT
Type
Remote Access Trojan
Short Description
Aims to infect the computer and remain silently on the victim’s computer in order to allow hackers to control it from distance.
Symptoms
The CrossRAT Trojan is generally designed to remain silent, but new files may be created on your PC plus infected computers may act strangely.
Distribution Method
Via malicious web links, infected e-mail attachments as well as fake setup files and programs.
The CrossRAT Trojan may enter your computer via many different methods, the main suspect of which is via a malicious web redirect to a page which automatically downloads and runs the .jar files which causes the infection. One sample of the malicious file, infecting with the CrossRAT Trojan has been reported to have the following technical parameters according to VirusTotal:
The bad news here is that no system is secure, even Linux OS. This suggests that very experienced malware writers may be behind this remote access Trojan.
The main method by which you may have come into contact with the CrossRAT trojan is if you have visited a web page, which causes an automatic browser redirect to a web page which can infect you simply by you having to visit it.
Another way by which you may become a victim of this Trojan horse is if you have opened a file, which you believe is legitimate and it contains the CrossRAT infection script which causes the infection by you opening the file. Such files are often fake setups of programs, fake key generators, game cracks and other software you may have downloaded via Torrent websites.
The last but not least important method by which this Trojan may have infected your computer is if you have opened an e-mail attachment, like an infected Microsoft Office document, believing it is a legitimate invoice, receipt for purchase online or other form of seemingly legitimate file. Such e-mails often pretend to come from companies from the likes of eBay, PayPal, DHL and other reputable names.
CrossRAT Trojan – Analysis
Remote access Trojans are not a new concept. However, when we see a RAT which is compatible with the three most widely used operating systems in the world – Windows, MacOS and Linux, it is definitely a cause for alarm. Furthermore, the EFF have established that the Trojan has been created and supported by the Dark Caracal hacker group, which may be based on Lebanon in order to spy on government employees and journalists in more than 20 countries all over the globe.
The CrossRAT Trojan has many capabilities, the primary of which are:
To evade conventional anti-virus software protection.
To manipulate the files on the computers it infects.
According to a technical report by ex-NSA hacker Partrick Wardle, the activity of the malware once it infects your computer is very sophisticated and experienced developers are behind it. Once this Trojan finds itself in a computer system, it perform the following steps:
1-Scans the infected computer in order to establish the OS it’s running, the security software installed on it. 2-Uses the information from scanning the infected PC in order to infect it with the tools which are most likely to be undetectable. 3-Assumes administrative access to gain full control of the infected machine.
The CrossRAT Trojan can be identified on different computers based on different modifications it performs on different OS’s. Here are it’s main symptoms that give it away:
For Windows PC’s:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ in which a value string is added, containing Data in which the “java”, “-jar” and “mediamgrs.jar” commands are present.
For MacOS computers:
Mediamgrs.jar, dropped in ~/Library and a launch agent is dropped in ~/Library/LaunchAgens, called mediamgrs.plist
For Linux computers:
The .jar file mediamgrs.jar is created in the /usr/var directory plus an “autostart” type of file is added in ~/.config/autostart/ which may be named mediamgrs.desktop
It is advisable to immediately take action in case you see any hints of having CrossRAT on your computer and if you see any of the detections we have described in the “Detect and Remove” section below to perform the following activities as described methodically:
1. Stop your Internet Access. 2. Change all of your passwords on your online accounts from a secure PC. 3. Move all of your important files on a flash drive from your PC or use other method to transfer them. 4. After having done those, follow the instructions from the “Detect and Remove” paragraph below.
CrossRAT Trojan – How to Detect and Remove
CrossRAT Trojan is detected by most antivirus engines under the following names:
CrossRAT Detection names
Ad-Aware Trojan.Java.Agent.ALD
AegisLab Backdoor.Java.Crossrat!c
AhnLab-V3 JAVA/Trupto
ALYac Backdoor.Java.CrossRAT
Antiy-AVL Trojan/Win32.TGeneric
Arcabit Trojan.Java.Agent.ALD
Avast Java:Malware-gen [Trj]
AVG Java:Malware-gen [Trj]
Avira JAVA/Agent.eipee
BitDefender Trojan.Java.Agent.ALD
Bkav W32.JavaNVA.Worm
CAT-QuickHeal Trojan.JAVA.Agent.5191
Cyren Java/Agent.BGG
DrWeb Java.CrossRat.1
Emsisoft Trojan.Java.Agent.ALD (B)
eScan Trojan.Java.Agent.ALD
ESET-NOD32 Java/Trupto.A
F-Prot Java/Agent.BGG
GData Trojan.Java.Agent.ALD (2x)
Ikarus Backdoor.Java.CrossRat
Kaspersky Backdoor.Java.CrossRAT.a
MAX malware (ai score=97)
McAfee RDN/Generic.dx
McAfee-GW-Edition Java/CrossRat
Microsoft Trojan:Java/Trupto.A
Qihoo-360 Trojan.Generic
Rising Trojan.CrossRAT!1.B001 (CLASSIC)
Sophos AV Java/Agent-AYAW
Symantec Trojan.Maljava
Tencent Java.Backdoor.Crossrat.Ebqt
TrendMicro JAVA_CRAT.A
TrendMicro-HouseCall JAVA_CRAT.A
ViRobot JAVA.S.Agent.222543
ZoneAlarm Backdoor.Java.CrossRAT.a
Source: VirusTotal
In order to remove this virus, you should follow the manual or automatic removal instructions down below. They are specifically designed in order to help you to delete this virus methodologically. Be advised that if you feel unsure to delete the CrossRAT Trojan manually, experts strongly advise to do so automatically by downloading an advanced anti-malware tool as it is likely the best option to fully erase this malware and secure your computer at a click of a button.
Note! Your computer system may be affected by CrossRAT and other threats. Scan Your PC with SpyHunter SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as CrossRAT. Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.
To remove CrossRAT follow these steps:
1. Boot Your PC In Safe Mode to isolate and remove CrossRAT files and objects
OFFER
Manual Removal Usually Takes Time and You Risk Damaging Your Files If Not Careful!
We Recommend To Scan Your PC with SpyHunter
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria
Boot Your PC Into Safe Mode
1. For Windows XP, Vista and 7. 2. For Windows 8, 8.1 and 10. Fix registry entries created by malware and PUPs on your PC.
For Windows XP, Vista and 7 systems:
1. Remove all CDs and DVDs, and then Restart your PC from the “Start” menu. 2. Select one of the two options provided below:
– For PCs with a single operating system: Press “F8” repeatedly after the first boot screen shows up during the restart of your computer. In case the Windows logo appears on the screen, you have to repeat the same task again.
– For PCs with multiple operating systems: Тhe arrow keys will help you select the operating system you prefer to start in Safe Mode. Press “F8” just as described for a single operating system.
3. As the “Advanced Boot Options” screen appears, select the Safe Mode option you want using the arrow keys. As you make your selection, press “Enter“.
4. Log on to your computer using your administrator account
While your computer is in Safe Mode, the words “Safe Mode” will appear in all four corners of your screen.
Step 1: Open up the Start Menu.
Step 2: Click on the Power button (for Windows 8 it is the little arrow next to the “Shut Down” button) and whilst holding down “Shift” click on Restart.
Step 3: After reboot, a blue menu with options will appear. From them you should choose Troubleshoot.
Step 4: You will see the Troubleshoot menu. From this menu choose Advanced Options.
Step 5: After the Advanced Options menu appears, click on Startup Settings.
Step 6: From the Startup Settings menu, click on Restart.
Step 7: A menu will appear upon reboot. You can choose any of the three Safe Mode options by pressing its corresponding number and the machine will restart.
Some malicious scripts may modify the registry entries on your computer to change different settings. This is why cleaning your Windows Registry Database is recommended. Since the tutorial on how to do this is a bit long and tampering with registries could damage your computer if not done properly you should refer and follow our instructive article about fixing registry entries, especially if you are unexperienced in that area.
2. Find files created by CrossRAT on your PC
Find files created by CrossRAT
1. For Windows 8, 8.1 and 10. 2. For Windows XP, Vista, and 7.
For Newer Windows Operating Systems
Step 1:
On your keyboard press + R and write explorer.exe in the Run text box and then click on the Ok button.
Step 2:
Click on your PC from the quick access bar. This is usually an icon with a monitor and its name is either “My Computer”, “My PC” or “This PC” or whatever you have named it.
Step 3:
Navigate to the search box in the top-right of your PC’s screen and type “fileextension:” and after which type the file extension. If you are looking for malicious executables, an example may be “fileextension:exe”. After doing that, leave a space and type the file name you believe the malware has created. Here is how it may appear if your file has been found:
N.B. We recommend to wait for the green loading bar in the navination box to fill up in case the PC is looking for the file and hasn’t found it yet.
For Older Windows Operating Systems
In older Windows OS’s the conventional approach should be the effective one:
Step 1:
Click on the Start Menu icon (usually on your bottom-left) and then choose the Search preference.
Step 2:
After the search window appears, choose More Advanced Options from the search assistant box. Another way is by clicking on All Files and Folders.
Step 3:
After that type the name of the file you are looking for and click on the Search button. This might take some time after which results will appear. If you have found the malicious file, you may copy or open its location by right-clicking on it.
Now you should be able to discover any file on Windows as long as it is on your hard drive and is not concealed via special software.
IMPORTANT! Before starting the Automatic Removal below, please boot back into Normal mode, in case you are currently in Safe Mode. This will enable you to install and use SpyHunter 5 successfully.
Use SpyHunter to scan for malware and unwanted programs
3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
Scan your PC and Remove CrossRAT with SpyHunter Anti-Malware Tool and back up your data
1. Install SpyHunter to scan for CrossRAT and remove them.2. Scan with SpyHunter, Detect and Remove CrossRAT. Back up your data to secure it from malware in the future.
Step 1: Click on the “Download” button to proceed to SpyHunter’s download page.
It is recommended to run a scan before purchasing the full version of the software to make sure that the current version of the malware can be detected by SpyHunter. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.
Step 2: Guide yourself by the download instructions provided for each browser.
Step 3: After you have installed SpyHunter, wait for it to update automatically.
Step 1: After the update process has finished, click on the ‘Malware/PC Scan’ tab. A new window will appear. Click on ‘Start Scan’.
Step 2: After SpyHunter has finished scanning your PC for any files of the associated threat and found them, you can try to get them removed automatically and permanently by clicking on the ‘Next’ button.
Step 3: If any threats have been removed, it is highly recommended to restart your PC.
Back up your data to secure it against attacks in the future
IMPORTANT! Before reading the Windows backup instructions, we highly recommend to back up your data with a cloud backup solution and insure your files against any type of loss, even from the most severe threats. We recommend you to read more about it and to download SOS Online Backup.
Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.
Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.
This article has been created in order to explain what is the CrossRAT Trojan Horse infection and how to remove it completely from your computer.
1. For Windows XP, Vista and 7.
2. For Windows 8, 8.1 and 10.
Fix registry entries created by malware and PUPs on your PC.
1. Install SpyHunter to scan for CrossRAT and remove them.
Back up your data to secure it from malware in the future.
