Newly discovered Linux malware, CronRAT, has gained attention as it paves the way for Magecart attacks. This malware exhibits unique stealth capabilities, notably, its refuge behind a non-standard date of “February 31” to help evade detection.
CronRAT Linux Malware Active In The Wild
Researchers from the Sansec Threat Research team have discovered the CronRAT Linux malware in the wild exhibiting peculiar stealth functionalities.
According to their blog post, CronRAT currently has a very low detection rate even with robust antimalware solutions. Thus, the researchers fear that it might wreak havoc in the coming days as it will possibly remain undetected.
The malware’s most interesting capability is its unique hiding capability in the calendar subsystem. As stated in the post,
CronRAT’s main feat is hiding in the calendar subsystem of Linux servers (“cron”) on a nonexistant day. This way, it will not attract attention from server administrators. And many security products do not scan the Linux cron system.
This capability further aids the malware to stay hidden as its scheduled tasks should supposedly execute on an imaginary date, “February 31”.
The CronRAT adds a number of tasks to crontab with a curious date specification:
52 23 31 2 3. These lines are syntactically valid, but would generate a run time error when executed. However, this will never happen as they are scheduled to run on February 31st.
Once it reaches a target system, CronRAT gains persistence at the server level. It then drops a self-destructing Bash program exhibiting timing modulation. It also includes a custom binary protocol to connect with an external server. This allows a remote attacker to run any commands.
The researchers also observed this malware facilitating web skimming attacks (Magecart) on the server-side. Hence, it has become a critical threat for eCommerce sites. Therefore, besides browser-based defenses, online store owners should take the necessary steps to improve back-end security.
Let us know your thoughts in the comments.