Nginx servers have been targeted by remote access malware.
This attack, named “NginRAT” for the combination of the targeted application and the remote access capabilities it provides, is used in server-side attacks to steal payment card data from online stores.
NginRAT was found on e-commerce servers in North America and Europe that were infected with CronRAT, a remote access Trojan (RAT) that hides its payload in tasks scheduled to run on invalid days in the calendar.
NginRAT has infected servers in the United States, Germany, and France, and is structured to go undetected by injecting it into Nginx processes that are indistinguishable from legitimate processes.
RAT allows server-side code modification
Security firm Sansec describes the new malware as being delivered as CronRAT, but both perform the same function in that they provide remote access to the compromised system.
Although they use very different techniques to maintain stealth, these two RATs seem to have the same role of acting as a backup to maintain remote access.
Sansec said they were able to study NginRAT by creating a custom CronRAT and observing its interactions with a command and control server (C2) located in China.
This C2 server was tricked into sending and executing a malicious shared library payload as part of a normal malicious exchange, disguising itself as “more advanced malware” from NginRAT.
NginRAT basically hijacks the host’s Nginx application to avoid detection. To do so, NginRAT modifies the core functionality of the Linux host system. When a legitimate Nginx web server uses such a feature (such as dlopen), NginRAT intercepts it and injects itself – Sansec
The Nginx process embeds remote access malware at the end of the process in such a way that it is indistinguishable from the legitimate process.
NginRAT is indistinguishable from a legitimate Nginx process
According to a technical report published by Sansec, NginRAT, with the help of CronRAT, uses a custom “dwn” command to download malicious Linux system libraries to “/dev/shm/php-shared” to infected It will land on the system.
This library is invoked using Linux’s LD_PRELOAD debugging facility, which is commonly used to test system libraries.
We have also added the option “help” multiple times at the end to hide what we are executing. Running this command will inject NginRAT into the host Nginx app.
NginRAT can be difficult to detect because it hides as a normal Nginx process and the code only exists in the server’s memory.
This malware is launched using two variables, LD_PRELOAD and LD_L1BRARY_PATH. Administrators can uncover active malicious processes by using the following command to discover processes containing “typo”.
$ sudo grep -al LD_L1BRARY_PATH /proc/*/environ | grep -v self/
/proc/17199/environ
/proc/25074/environ
Sansec points out that if NginRAT is found on a server, the administrator should also check the cron task.
Sansec points out that if NginRAT is found on a server, administrators should check the cron task as well, because that is also where malware added by CronRAT is likely to be lurking.
Comments