Security researchers have discovered new remote access trojan (RAT) malware that has created an unusual new way of hiding on servers.
As first reported on BleepingComputer[1], this new malware, dubbed CronRAT, hides in scheduled tasks on Linux servers by being set for execution on February 31, a date that doesn't exist.
Discovered and named by e-commerce security specialist Sansec, CronRAT is part of a growing trend in Linux server-focused Magecart malware. CronRAT is used to enable server-side Magecart data theft.
SEE: A winning strategy for cybersecurity (ZDNet special report)[2]
The security company describes the malware as "sophisticated" and it remains undetected by most antivirus vendors[3]. Sansec had to rewrite its detection engine to spot the malware after receiving samples of it to discover how it works.
The name CronRAT is a reference to the Linux cron tool that allows admins to create scheduled jobs on a Linux system to occur on a specific time of day or a regular day of the week.
"CronRAT's main feat is hiding in the calendar subsystem of Linux servers ("cron") on a nonexistant day. This way, it will not attract attention from server administrators. And many security products do not scan the Linux cron system," explain Sansec in a blogpost[4].
The malware drops a "sophisticated Bash program that features self-destruction, timing modulation and a custom binary protocol to communicate with a foreign control server," says Sansec.
Magecart card skimmers are a problem that's not going away any time soon as e-commerce continues to play a vital role in shopping during the ongoing pandemic. Ahead of Black Friday, the National Cyber Security Centre (NCSC) warned[5] it had found 4,151 retailers that had been compromised by hackers targeting bugs in checkout pages over the past 18 months. Most of the attacks targeted bugs in popular e-commerce platform Magento. The FBI last year issued a similar warning about Magecart attackers[6] targeting a Magento plugin.
References
- ^ first reported on BleepingComputer (www.bleepingcomputer.com)
- ^ A winning strategy for cybersecurity (www.zdnet.com)
- ^ most antivirus vendors (www.virustotal.com)
- ^ explain Sansec in a blogpost (sansec.io)
- ^ National Cyber Security Centre (NCSC) warned (www.zdnet.com)
- ^ issued a similar warning about Magecart attackers (www.zdnet.com)