The cybersecurity analysts at Sansec Threat Research, a Dutch cyber-security company, have recently discovered a new RAT (Remote Access Trojan) for Linux systems that utilizes a stealth method never seen before. This new malware hides its malicious activity by scheduling it on February 31st, a missing day on the calendar.
This stealthy malware has the ability to steal server-side data from e-commerce websites or bypass any security solutions that are browser-based, and they do so, by deploying online payment skimmers on the Linux servers.
Apart from this, this stealthy malware has been dubbed as CronRAT, which is characterized by two key factors:-
While in several online retailers, the samples of this RAT have been detected, and among them, there is one of the largest stores from a country that is unspecified.
Stealthy Hideout For Payloads
The ability to use the Unix cron job-scheduler utility to hide malicious payloads using the names of tasks that are scheduled to run on February 31st makes this malware one of the most sophisticated and stealthy.
As long as the dates have a valid format, though the day does not exist in the calendar, the cron system of Linux will accept it. In reality, in the names of the scheduled tasks, CronRAT hides a “sophisticated Bash program.”
While this sophisticated ability allows the malware to launch several attack commands that can compromise e-commerce servers running on Linux, and even they can also evade detection by security solutions as well.
Here’s what the Sansec stated:-
“The CronRAT adds a number of tasks to crontab with a curious date specification: 52 23 31 2 3. These lines are syntactically valid but would generate a run time error when executed. However, this will never happen as they are scheduled to run on February 31st.”
Abilities of CronRAT
Here, below we have mentioned all the abilities of the CronRAT:-
- Fileless execution
- Timing modulation
- Anti-tampering checksums
- Controlled via binary, obfuscated protocol
- Launches tandem RAT in separate Linux subsystem
- Control server disguised as “Dropbear SSH” service
- Payload hidden in legitimate CRON scheduled task names
Here, Sansec has recommended security professionals consider the entire attack surface since the attackers take advantage of an unsecured internal server, as the online retailers mainly implement browser-only protection.