A new remote access trojan (RAT) for Linux has been discovered.
Sansec has discovered an advanced threat packed with never-before-seen stealth technology. The malware is called “CronRAT” and will be hiding in the Linux calendar system on February 31.
The malware, dubbed “CronRAT”, is currently targeting web stores and is designed to steal credit card data by placing online payment skimmers on Linux servers.
CronRAT is characterized by its sophistication and sophistication as malware that targets online stores and is undetected by many antiviruses.
A clever hiding place for payloads
CronRAT exploits cron, the Linux task scheduling system, to schedule tasks to run on non-existent days, such as February 31.
The Cron system in Linux will accept a date even if it does not exist in the calendar, as long as it is in a valid format, but this means that the scheduled task will not be executed.
This is how CronRAT achieves stealthiness.
A report published by Dutch cybersecurity firm Sansec describes hiding a “sophisticated Bash program” in the name of a scheduled task.
“CronRAT” adds some tasks to the crontab with an invalid date specification.
These lines are syntactically valid, but will cause a runtime error when executed. However, this will not happen because these tasks are set to run on February 31
The payload is multi-layered, compressed, and obfuscated by Base64 encoding. The code includes commands for self-destruct, timing modulation, and a custom protocol to allow communication with remote servers.
The researchers noted that the malware communicates to a command and control (C2) server (47.115.46.167) using “an exotic feature of the Linux kernel that allows TCP communication through files.
In addition, this connection is being made over TCP via port 443 using a fake banner for the Dropbear SSH service, which also helps the malware stay under the radar.
After contacting the C2 server, several commands are sent and received to obtain the malicious dynamic library. At the end of these exchanges, the attacker behind CronRAT can execute arbitrary commands on the compromised system.
CronRAT was found in multiple web stores around the world, and was used to inject scripts into servers that steal payment card data (so-called Magecart attacks).
Sansec describes the new malware as a “serious threat to Linux e-commerce servers” because of its capabilities.
- Fileless execution
- Timing modulation
- Anti-tampering checksum
- Binary, obfuscated protocol control
- Starting tandem RATs on separate Linux subsystems
- Control server disguised as “Dropbear SSH” service
- Hide payload in legitimate CRON scheduled task name
These features make CronRAT virtually undetectable; VirusTotal’s scanning service found that 12 anti-virus engines failed to process this malicious file, and 58 of them did not detect it as a threat.
CronRAT not detected by VirusTotal
Sansec noted that CronRAT’s novel execution method also evaded its detection algorithm, eComscan, and that researchers had to rewrite eComscan to catch the new threat.
Comments