Experts have identified a new Linux RAT (Remote Access Trojan) that was dubbed CronRAT. It stands out through its hiding place, as it can be found in different tasks which have a schedule-timeline for February 31st, a day, that of course, does not exist.
CronRAT keeps a low profile for the moment, being almost invisible and its targets seem to be web stores. Hackers engage in deployment on Linux servers of online payment skimmers with the final goal of performing credit card info theft.
CronRAT: How It Works
Sansec researchers were the ones who discovered this threat and published a report on the topic on November 24. Here are some characteristics of CronRAT following the report’s info:
- It can bypass many antiviruses, as it gets undetected;
- It is designed to target and compromise cron, which is the task scheduling system of Linux;
- This Linux cron job has the role to let scheduling tasks run on days that do not exist in the calendar;
- Data specifications are accepted in this system if they own a format that is valid, so accepted even if scheduled on a non-existent calendar day, this also indicates that the execution of the task won’t happen;
- Hackers used lots of compression layers along with Base64 encoding to obfuscate the CronRAT payloads;
- When the code is cleaned up, it can be noticed that this embodies self-destruction commands, a custom protocol that facilitates the communication with a server that is remote, and also timing modulation;
- A C2 server (47.115.46.167) was contacted by the RAT, so, as the researchers state, the TCP communication is enabled by means of a Linux kernel “exotic” feature;
- The 443 port is used for the TCP connection by means of a false banner for the Dropbear SSH service;
- This will help with keeping the malware under the radar;
- What happens after the communication with the C2 server is established is that various commands facilitate the obtaining of a malicious dynamic library;
- Eventually, cybercriminals have the possibility to run commands as they please on the impacted system.
In the run-up to Black Friday, Sansec discovered a sophisticated threat that is packed with never-seen stealth techniques. This malware, dubbed “CronRAT”, hides in the Linux calendar system on February 31st. It is not recognized by other security vendors and is likely to stay undetected on critical infrastructure for the coming months. CronRAT enables server-side Magecart data theft which bypasses browser-based security solutions.
According to BleepingComputer, it seems that many worldwide stores were impacted by this remote access trojan in the so-called Magecart attacks, this being injected in server scripts that have the role to perform card data theft.
It is dangerous because it has a series of capabilities that make them pose a threat to Linux e-commerce web servers as the researchers mention. Among these, the following can be enumerated: timing modulation, anti-tampering checksums, Dropbear SSH service under which the control server is disguised, payloads that hide in the names of scheduled cron legitimate tasks, an execution that is fileless, and so on.
These features contribute to CronRAT’s lack of detection.
CronRAT’s main feat is hiding in the calendar subsystem of Linux servers (“cron”) on a nonexistant day. This way, it will not attract attention from server administrators. And many security products do not scan the Linux cron system. CronRAT facilitates persistent control over an eCommerce server.
Did you enjoy this article? Follow us on LinkedIn, Twitter, Facebook, Youtube, or Instagram to keep up to date with everything we post!