Cybersecurity researchers have discovered a new form of remote access Trojan (RAT) that not only runs on Linux computers (a common but minor target in the world of malware), but also uses a novel technique to go practically unnoticed: hide in the system task scheduler (the ‘cron’) assigning its execution to a non-existent day, on February 31.
Nicknamed CronRAT in a waste of originality, this sneaky malware is intended to infect the web servers of online stores, facilitating the installation of Payment skimmers that target credit card data theft. The Dutch cybersecurity firm Sansec Threat Research claims to have detected the presence of CronRAT in several e-commerce in operation.
Its ingenious infection system allows it to be undetected by most antivirus engines available in the market. In fact, in the VirusTotal scanning service, 12 antivirus engines were unable to process the malicious file and 58 of them did not detect it as a threat.
All of this is possible because malware takes advantage of the fact that ‘cron’ supports scheduling tasks on any date specification with valid format, even if the indicated day does not exist in the calendar, as it happens in this case: that only means that the scheduled task will not be executed …
… unless, as is the case, the name of the scheduled task hides a “sophisticated bash script” that obfuscates the malware payload under multiple layers of compression and Base64 encoding.
Threats from ‘skimming’ no longer arrive solely from the browser
But, when we look under all of that, CronRAT code includes commands for self-destruct, timing modulation and a custom protocol that allows communication with a remote command and control server.
This connection with the server (with IP 47.115.46.167), is carried out using an “exotic Linux kernel functionality that allows TCP communication through a file “, as well as a connection through port 443, for which it makes use of a fake Dropbear SSH service identifier, a detail that also helps malware stay ‘under the radar’.
In addition, the connection to said server is what allows downloading and installing a malicious dynamic library, the last necessary component of the malware that allows your developers to then run any command on the compromised system.
In addition, CronRAT represents a turnaround in the development of card data theft malware, as acknowledged by Sansec’s director of threat research, Willem de Groot:
“Digital skimming is moving from browser to server and this is one more example: most online stores have only implemented threat defenses from the browser side, and criminals are capitalizing on that unprotected backend.”
Image | Daphne cholet