New Linux malware 'CronRAT' hides in cron jobs with invalid dates, downloads another stealthy trojan

guest · Dec 6, 2021

New Linux malware hides in cron jobs with invalid dates
November 25, 2021

Security researchers have discovered a new remote access trojan (RAT) for Linux that keeps an almost invisible profile by hiding in tasks scheduled for execution on a non-existent day, February 31st.

Dubbed CronRAT, the malware is currently targeting web stores and enables attackers to steal credit card data by deploying online payment skimmers on Linux servers.
Characterized by both ingenuity and sophistication, as far as malware for online stores is concerned, CronRAT is undetected by many antivirus engines.
Click to expand...

Clever hideout for payloads
CronRAT abuses the Linux task scheduling system, cron, which allows scheduling tasks to run on non-existent days of the calendar, such as February 31st.

“The CronRAT adds a number of tasks to crontab with a curious date specification: 52 23 31 2 3. These lines are syntactically valid, but would generate a run time error when executed. However, this will never happen as they are scheduled to run on February 31st,” Sansec Researchers explain.
The payloads are obfuscated via multiple layers of compression and Base64 encoding. Cleaned up, the code includes commands for self-destruction, timing modulation, and a custom protocol that allows communication with a remote server.
Click to expand...

Update [November 26, 2021]: Added image showing the obfuscated Bash code.
Click to expand...

Sansec: CronRAT malware hides behind February 31st

In the run-up to Black Friday, Sansec discovered a sophisticated threat that is packed with never-seen stealth techniques. This malware, dubbed “CronRAT”, hides in the Linux calendar system on February 31st. It is not recognized by other security vendors and is likely to stay undetected on critical infrastructure for the coming months. CronRAT enables server-side Magecart data theft which bypasses browser-based security solutions.
Click to expand...

Rasheed187 · Nov 28, 2021

So much for not needing any third party tools to protect systems based on Linux/Unix LOL. However, it isn't explained how the malware was installed, was this done via remote code execution, or was it simply an insider attack?

nicolaasjan · Nov 28, 2021

Rasheed187 said: ↑

So much for not needing any third party tools to protect systems based on Linux/Unix LOL.
Click to expand...

No tool would have protected against this, as it is completely new.
Furthermore, when antivirus engines start detecting something, the malware writers have already developed a new variant and the cycle starts again.

Dubbed CronRAT, the malware is currently targeting web stores and enables attackers to steal credit card data by deploying online payment skimmers on Linux servers.
Click to expand...

So nothing to be afraid of if you're just a desktop user.
(and if you are afraid, then just block the command and control server 47.115.46.167 located in China)
In fact most Linux malware is targeted against web servers and especially unpatched ones are vulnerable.

However, it isn't explained how the malware was installed, was this done via remote code execution, or was it simply an insider attack?
Click to expand...

This was a shell script, so probably a dumb user clicked on an email attachment.
End user awareness is crucial.

nicolaasjan · Nov 28, 2021

About these so called Magecart attacks (interesting read):

In short: hackers gain access to a store’s source code using unpatched software flaws in various popular e-commerce software. Once a store is under control of a perpetrator, a wiretap or keylogger is installed that funnels live payment data to a collection server. This wiretap operates transparently for customers and the merchant. Skimmed credit cards are then sold on the dark web for $5 to $30 each.
Click to expand...

Daveski17 · Nov 28, 2021

As I'm just a desktop Ubuntu user I don't view this malware as a real threat. Although I also don't believe in feeding trolls.

nicolaasjan · Nov 28, 2021

Daveski17 said: ↑

As I'm just a desktop Ubuntu user I don't view this malware as a real threat. Although I also don't believe in feeding trolls.
Click to expand...

+1

nicolaasjan · Nov 28, 2021

Daveski17 said: ↑

Although I also don't believe in feeding trolls.
Click to expand...

You're right about that.
But since @Rasheed187 usually posts non-trollish things, I felt the need to answer.
I'll try to avoid that in the future.

Rasheed187 · Nov 28, 2021

nicolaasjan said: ↑

No tool would have protected against this, as it is completely new. Furthermore, when antivirus engines start detecting something, the malware writers have already developed a new variant and the cycle starts again.
Click to expand...

But in the end it did take an AV to spot it right? There is always a chance that some new malware sample will slip true defense systems. But this is now the second high profile stealth attack on Linux servers that I read about.

nicolaasjan said: ↑

This was a shell script, so probably a dumb user clicked on an email attachment. End user awareness is crucial.
Click to expand...

Hmmm, sounds a lot like Windows. I had hoped this attack would require more sophistication.

nicolaasjan said: ↑

You're right about that.
Click to expand...

You can call it trolling, I call it stating facts. Unix isn't as secure as certain people think. This must be difficult to accept for Unix fanboys LOL. But I'm sure you guys will get over it, some day.

Rasheed187 · Nov 28, 2021

nicolaasjan said: ↑

About these so called Magecart attacks (interesting read).
Click to expand...

Thanks for the link, interesting stuff. And BTW, this is what I talked about, it was an attack on Linux and Solaris servers, used to spy on telecom companies, see link. No wonder that more and more security companies are beginning to focus on Unix based systems. For example, Microsoft Defender ATP now also protects macOS systems.

https://www.bleepingcomputer.com/ne...oup-breaches-13-global-telecoms-in-two-years/

Daveski17 · Nov 28, 2021

nicolaasjan said: ↑

You're right about that.
But since @Rasheed187 usually posts non-trollish things, I felt the need to answer.
I'll try to avoid that in the future.
Click to expand...

A troll is still a troll. They just try to provoke a reaction.

Rasheed187 · Nov 28, 2021

nicolaasjan said: ↑

No tool would have protected against this, as it is completely new. Furthermore, when antivirus engines start detecting something, the malware writers have already developed a new variant and the cycle starts again.
Click to expand...

Here is some more info, it's kinda ironic, Unix based systems being protected by M$ LOL. But this type of stuff is needed to tackle these kind of attacks, I'm afraid this is the harsh reality.

https://www.bleepingcomputer.com/ne...r-atp-adds-live-response-for-linux-and-macos/

guest · Dec 6, 2021

New malware hides as legit nginx process on e-commerce servers
December 2, 2021

eCommerce servers are being targeted with remote access malware that hides on Nginx servers in a way that makes it virtually invisible to security solutions.

The threat received the name NginRAT, a combination of the application it targets and the remote access capabilities it provides and is being used in server-side attacks to steal payment card data from online stores.
Click to expand...

NginRAT was found on eCommerce servers in North America and Europe that had been infected with CronRAT, a remote access trojan (RAT) that hides payloads in tasks scheduled to execute on an invalid day of the calendar.

NginRAT has infected servers in the U.S., Germany, and France where it injects into Nginx processes that are indistinguishable from legitimate ones, allowing it to remain undetected.
Click to expand...

RATs enable server-side code modification
Researchers at security company Sansec explain that the new malware is delivered CronRAT, although both of them fulfill the same function: providing remote access to the compromised system.

Willem de Groot, director of threat research at Sansec, told BleepingComputer that while using very different techniques to maintain their stealth, the two RATs appear to have the same role, acting as a backup for preserving remote access.
Whoever is behind these strains of malware, is using them to modify server-side code that allowed them to record data submitted by users (POST requests).
Click to expand...

Sansec was able to study NginRAT after creating a custom CronRAT and observing the exchanges with the command and control server (C2) located in China.

“NginRAT essentially hijacks a host Nginx application to stay undetected. To do that, NginRAT modifies core functionality of the Linux host system. When the legitimate Nginx web server uses such functionality (eg dlopen), NginRAT intercepts it to inject itself” - Sansec
Click to expand...

Sansec: NginRAT parasite targets Nginx

A new parasitic malware targets the popular Nginx web server, Sansec discovered. This novel code injects itself into a host Nginx application and is nearly invisible. The parasite is used to steal data from eCommerce servers, also known as “server-side Magecart”. The malware was found on servers in the US, Germany and France. In this post, we show you how to find and remove it.
Click to expand...

Rasheed187 · Dec 4, 2021

mood said: ↑

New malware hides as legit nginx process on e-commerce servers
December 2, 2021
https://www.bleepingcomputer.com/ne...as-legit-nginx-process-on-e-commerce-servers/
Sansec: NginRAT parasite targets Nginx
Click to expand...

Thanks for the heads up, it truly is a bit shocking how stealth this malware operate. But perhaps I shouldn't be as surprised, because most Windows attack vectors will also work on systems like Linux and macOS, see link.

https://attack.mitre.org/matrices/enterprise/linux/

Log in or Sign up

New Linux malware 'CronRAT' hides in cron jobs with invalid dates, downloads another stealthy trojan

guest Guest

Rasheed187 Registered Member

nicolaasjan Registered Member

nicolaasjan Registered Member

Daveski17 Registered Member

nicolaasjan Registered Member

nicolaasjan Registered Member

Rasheed187 Registered Member

Rasheed187 Registered Member

Daveski17 Registered Member

Rasheed187 Registered Member

guest Guest

Rasheed187 Registered Member

Log in or Sign up

New Linux malware 'CronRAT' hides in cron jobs with invalid dates, downloads another stealthy trojan

guest Guest

Rasheed187 Registered Member

nicolaasjan Registered Member

nicolaasjan Registered Member

Daveski17 Registered Member

nicolaasjan Registered Member

nicolaasjan Registered Member

Rasheed187 Registered Member

Rasheed187 Registered Member

Daveski17 Registered Member

Rasheed187 Registered Member

guest Guest

Rasheed187 Registered Member

Useful Searches