NginRAT

The cybersecurity experts at Sansec have recently discovered a new NginRAT malware that targets the Nginx webserver to steal data from eCommerce websites.

This new NginRAT malware remains hidden on a host Nginx application due to which it easily manages to evade. In short, to masquerade its presence NginRAT hacks a host Nginx application by modifying the core functionality of the Linux host system.

The web server of eCommerce websites runs several Nginx processes, and they all look like other regular processes, so, it’s very hard to spot them.

Affected country servers

NginRAT was detected in severs of the following countries and here they are mentioned below:-

  • The US
  • Germany
  • France

The CronRAT using the custom commands talks with its control server at 47.115.46.167:443, and here to “/dev/shm/php-shared” the “dwn” downloads a Linux system library, and after this, the CronRAT malware launch the following code as instructed:-

env LD_L1BRARY_PATH=”[580 bytes]” \

    LD_PRELOAD=/dev/shm/php-shared \

    /usr/sbin/nginx –help –help –help –help –help –help –help –help \

    –help –help –help –help –help –help –help –help –help –help –help \

    –help –help –help –help –help –help –help –help –help –help –help \

    –help –help –help –help –help –help –help –help –help –help –help \

    –help –help –help –help –help –help –help –help –help 1>&2 &

Just like the NginRAT malware, the CronRAT is also malware that is mainly designed to provide remote access to the attackers into the compromised servers.

Here, in Linux using the LD_PRELOAD debugging feature which is used to test the system libraries, the attacker launch the Linux system library.

In the end, several times, the hackers’ ads the “help” option to hide the execution through which into the host Nginx app they inject the NginRAT malware.

According to the report “The operators of the new NginRAT malware and CronRAT malware use these two families of malware to record data submitted by users (POST requests) by modifying the server-side code.”

Detect and remove NginRAT

The standard /proc/PID/exe will point to Nginx instead of pointing to the malware since the NginRAT malware disguise itself as a legitimate Nginx host process.

But, here, if you want to detect and remove the NginRAT then you have to use the LD_L1BRARY_PATH (with typo), as this will reveal the presence of NginRAT and then you have to run the below command:-

$ sudo grep -al LD_L1BRARY_PATH /proc/*/environ | grep -v self/

/proc/17199/environ

/proc/25074/environ

By running the above code will show you all the compromised processes, and then you have to kill them with kill -9 <PID>.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.