CronRat Magecart malware uses 31st February date to remain undetected

The malware allows for server-side payment skimming that bypasses browser security

Cronrat strikes Linux

Security researchers have discovered a Linux-based remote access trojan (RAT) that uses an unusual stealth technique to remain out of sight from security products.

The malware, dubbed CronRat, hides in the calendar subsystem of Linux servers (“cron”) on a non-existent day, 31 February, according to a blog post by security researchers at Sansec.

The researchers said that CronRat “enables server-side Magecart data theft which bypasses browser-based security solutions”. The malware was discovered on several eCommerce websites injecting Magecart payment skimmers in server-side code.

Sansec director of threat research Willem de Groot said that digital skimming is moving from the browser to the server, and this is yet another example.

“Most online stores have only implemented browser-based defenses, and criminals capitalize on the unprotected back-end. Security professionals should really consider the full attack surface,” he added.

The malware uses Linux’s cron job scheduling utility to hide from discovery. It adds several tasks to crontab with a curious date specification: 52 23 31 2 3. These lines are syntactically valid but would generate a run time error when executed.

“However, this will never happen as they are scheduled to run on February 31st. Instead, the actual malware code is hidden in the task names and is constructed using several layers of compression and base64 decoding,” said researchers.

Related Resource

What to consider when choosing a next-generation firewall

How to choose a NGFW solution

Vector of an envelope with a padlock over it on a blue backgroundFree download

According to researchers, the malware is a sophisticated Bash program that features self-destruction, timing modulation, and a custom binary protocol to communicate with a foreign control server. Upon launch, it contacts the control server using an exotic feature of the Linux kernel that enables TCP communication via a file using a fake banner for the Dropbear SSH service. This also helps to keep the malware hidden.

It also contacts a server hosted on Alibaba in China, and uses a custom binary protocol with random checksums, to avoid detection by firewalls and packet inspectors.

Once contact with a C2 server is established, it drops its disguise and sends and receives numerous commands, and downloads a malicious dynamic library. Afterwards, the malware is ready to run any command on a compromised system.

While investigating this RAT, the researchers wrote another specially crafted RAT client to intercept commands. This led to the discovery of yet another RAT that researchers hope to study in-depth later.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
What is a Trojan?
Security

What is a Trojan?

27 Aug 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022