CronRAT: A New Linux Malware That’s Scheduled to Run on February 31st

by admin 0 Comments

Cyber Security

Products You May Like

Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Researchers have unearthed a new remote access trojan (RAT) for Linux that employs a never-before-seen stealth technique that involves masking its malicious actions by scheduling them for execution on February 31st, a non-existent calendar day.

Dubbed CronRAT, the sneaky malware “enables server-side Magecart data theft which bypasses browser-based security solutions,” Sansec Threat Research said. The Dutch cybersecurity firm said it found samples of the RAT on several online stores, including an unnamed country’s largest outlet.

Automatic GitHub Backups

CronRAT’s standout feature is its ability to leverage the cron job-scheduler utility for Unix to hide malicious payloads using task names programmed to execute on February 31st. Not only does this allow the malware to evade detection from security software, but it also enables it to launch an array of attack commands that could put Linux eCommerce servers at risk.

“The CronRAT adds a number of tasks to crontab with a curious date specification: 52 23 31 2 3,” the researchers explained. “These lines are syntactically valid, but would generate a run time error when executed. However, this will never happen as they are scheduled to run on February 31st.”

The RAT — a “sophisticated Bash program” — also uses many levels of obfuscation to make analysis difficult, such as placing code behind encoding and compression barriers, and implementing a custom binary protocol with random checksums to slip past firewalls and packet inspectors, before establishing communications with a remote control server to await further instructions.

Prevent Data Breaches

Armed with this backdoor access, the attackers associated with CronRAT can run any code on the compromised system, the researchers noted.

“Digital skimming is moving from the browser to the server and this is yet another example,” Sansec’s Director of Threat Research, Willem de Groot, said. “Most online stores have only implemented browser-based defenses, and criminals capitalize on the unprotected back-end. Security professionals should really consider the full attack surface.”

This article was originally published by Thehackernews.com. Read the original article here.
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Products You May Like

Articles You May Like

Samsung Galaxy M35 5G India Launch Teased, Might Go on Sale During Amazon Prime Day
8220 Gang Exploits Oracle WebLogic Server Flaws for Cryptocurrency Mining
Honor 200 5G Series Confirmed to Launch in India; Amazon Page Goes Live
Apple’s Cheaper Version of Vision Pro May Use Larger but Lower-Resolution Displays: Report
OnePlus Summer Launch Event to Be Held on July 16; OnePlus Nord 4, Buds 3 Pro, and Watch 2R Expected

Leave a Reply

Your email address will not be published. Required fields are marked *