New Linux malware CronRAT hides in tasks set to execute on February 31

Researchers found a RAT with never-before-seen stealth tactics – masking the actions with the non-existent calendar day

Linux RAT foundMagecart attacks can be launched on Linux servers due to the CronRAT.

Security experts discovered the remote access trojan that runs on Linux machines that can remain invisible because it hides in tasks scheduled for execution on February 31st. The day that does not exist.[1] CronRAT is the malware aiming at web stores and triggering the online payment skimmer threats on Linux servers.[2]

Attackers dan deploy these malware pieces and steal credit card data. The RAT can be under the radar, and many AV engines cannot detect the threat as malicious or potentially dangerous during these Magecart attacks.[3] This is a serious threat to Linux eCommerce servers because the remote access trojan can:

  • execute fileless malware;
  • launch malware in separate Linux subsystems;
  • control servers disguised as Dropbear SSH services;
  • hide the payload in legitimate CRON scheduled tasks;
  • run anti-tampering commands or time modulation.

Threat bypasses browser-based security software scans, and researchers have already found some samples of this RAT on various online stores. Leveraging the corn job-scheduler utility for Unix allows the threat actor to hide malicious payloads. This feature allows the malware to execute any attack commands that can put Linux servers at risk and cause huge losses and breaches.[4]

Achieving stealth with sophisticated new methods

The Cron scheduling system on Linux allows the date specification as long as there is a valid format. In this case, even when the day does not exist and the scheduled task will not execute. This is the method that allowed CronRAT to achieve stealth. The Sansec research team explains[5] the method:

The CronRAT adds a number of tasks to crontab with a curious date specification: 52 23 31 2 3. These lines are syntactically valid, but would generate a run time error when executed. However, this will never happen as they are scheduled to run on February 31st

Multiple compression layers and the Base64 encoding helps with the payload obfuscation. The code of this malware also includes self-destruction, timing modulation, and communication with remote servers functions. Even the later – communication with a remote command and control server involves an “exotic feature.”

Researchers say that the Linux kernel used for this enables TCP communication via the file. The connection over the TCP uses the fake banner for the Dropbear SSH service, which is one of the methods helping this trojan to remain undetected.

Security risks for eCommerce

CronRAT has been already found in multiple stores across the world. The threat was injected on the server and used in Magecart attacks. Payment skimmer can create major issues and lead to problems. Stealing credit card details, other personal information can result in money losses for people and even identity theft issues. These so-called Magecart attacks are becoming popular.

Digital skimming is going from only browsers to servers, and this is one of the examples. Online stores may only use browser-based security measures, and criminals use this fact to their advantage. Unprotected back-end can be exploited, so security professionals should consider the full surface's mitigation techniques and think about protecting all ends, all possible flaws.

eCommerce and online shoppers can be a great target these days because shopping is mainly done online due to the time in the world. Also, these last months of the year are when scammers also up their game due to all of the Black Friday and the holiday deals.[6]

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions