New Linux malware 'CronRAT' hides in cron jobs with invalid dates, downloads another stealthy trojan

Discussion in 'malware problems & news' started by mood, Nov 27, 2021.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
    New Linux malware hides in cron jobs with invalid dates
    November 25, 2021
    Sansec: CronRAT malware hides behind February 31st
     
    Last edited: Dec 6, 2021
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
    So much for not needing any third party tools to protect systems based on Linux/Unix LOL. However, it isn't explained how the malware was installed, was this done via remote code execution, or was it simply an insider attack?
     
  3. nicolaasjan

    nicolaasjan Registered Member

    Joined:
    Sep 23, 2018
    Posts:
    487
    Location:
    The Netherlands
    No tool would have protected against this, as it is completely new.
    Furthermore, when antivirus engines start detecting something, the malware writers have already developed a new variant and the cycle starts again.
    So nothing to be afraid of if you're just a desktop user. :)
    (and if you are afraid, then just block the command and control server 47.115.46.167 located in China)
    In fact most Linux malware is targeted against web servers and especially unpatched ones are vulnerable.

    This was a shell script, so probably a dumb user clicked on an email attachment. :eek:
    End user awareness is crucial.
     
  4. nicolaasjan

    nicolaasjan Registered Member

    Joined:
    Sep 23, 2018
    Posts:
    487
    Location:
    The Netherlands
    About these so called Magecart attacks (interesting read):
     
  5. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    9,873
    Location:
    Lloegyr
    As I'm just a desktop Ubuntu user I don't view this malware as a real threat. Although I also don't believe in feeding trolls.
     
  6. nicolaasjan

    nicolaasjan Registered Member

    Joined:
    Sep 23, 2018
    Posts:
    487
    Location:
    The Netherlands
    +1
    :thumb:
     
  7. nicolaasjan

    nicolaasjan Registered Member

    Joined:
    Sep 23, 2018
    Posts:
    487
    Location:
    The Netherlands
    You're right about that.
    But since @Rasheed187 usually posts non-trollish things, I felt the need to answer. ;)
    I'll try to avoid that in the future. :D
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
    But in the end it did take an AV to spot it right? There is always a chance that some new malware sample will slip true defense systems. But this is now the second high profile stealth attack on Linux servers that I read about.

    Hmmm, sounds a lot like Windows. I had hoped this attack would require more sophistication.

    You can call it trolling, I call it stating facts. Unix isn't as secure as certain people think. This must be difficult to accept for Unix fanboys LOL. But I'm sure you guys will get over it, some day. :p
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
    Thanks for the link, interesting stuff. And BTW, this is what I talked about, it was an attack on Linux and Solaris servers, used to spy on telecom companies, see link. No wonder that more and more security companies are beginning to focus on Unix based systems. For example, Microsoft Defender ATP now also protects macOS systems.

    https://www.bleepingcomputer.com/ne...oup-breaches-13-global-telecoms-in-two-years/
     
  10. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    9,873
    Location:
    Lloegyr
    A troll is still a troll. They just try to provoke a reaction.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
    Here is some more info, it's kinda ironic, Unix based systems being protected by M$ LOL. But this type of stuff is needed to tackle these kind of attacks, I'm afraid this is the harsh reality. :thumb:

    https://www.bleepingcomputer.com/ne...r-atp-adds-live-response-for-linux-and-macos/
     
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
    New malware hides as legit nginx process on e-commerce servers
    December 2, 2021
    Sansec: NginRAT parasite targets Nginx
     
    Last edited: Dec 6, 2021
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
    Thanks for the heads up, it truly is a bit shocking how stealth this malware operate. But perhaps I shouldn't be as surprised, because most Windows attack vectors will also work on systems like Linux and macOS, see link.

    https://attack.mitre.org/matrices/enterprise/linux/
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.