Sneaky Linux malware hides behind events scheduled to run on February 31
Attackers have used a novel approach by hiding a magecart malware in the Linux calendaring system on an invalid date, February 31.
Dubbed CronRAT by cybersecurity researchers at Sansec, the malware was found lurking on multiple online stores just ahead of the Black Friday online shopping extravaganza.
“CronRAT’s main feat is hiding in the calendar subsystem of Linux servers (“cron”) on a nonexistant day. This way, it will not attract attention from server administrators. And many security products do not scan the Linux cron system,” share the researchers.
Sansec claims to have seen several instances where CronRAT had helped the attackers inject magecart payment skimmers in the server-side code on the ecommerce platforms.
Novel approach
Sansec explains that the attackers take advantage of the fact that the Linux cron system can schedule tasks on any date as long as it has a valid format. The attackers use this “feature” to insert CronRAT on an invalid date.
The researchers note that CronRAT hides a “sophisticated Bash program” that employs various techniques including self-destruction, timing modulation and a custom binary protocol to communicate with a foreign control server, in order to go about its malicious business without spooking admins.
When launched, the malware contacts the control server using another “exotic feature” of the Linux kernel that enables TCP communication via a file. It then performs several actions to create a persistent backdoor to the attacked server, which essentially allows CronRAT operators to run any code on the server.
“Digital skimming is moving from the browser to the server and this is yet another example. Most online stores have only implemented browser-based defenses, and criminals capitalize on the unprotected back-end. Security professionals should really consider the full attack surface,” suggests Willem de Groot, director of threat research, Sansec.
Batten down the hatches with the help of these best firewall apps and services, and ensure your computers are protected with these best endpoint protection tools.
Attackers have used a novel approach by hiding a magecart malware in the Linux calendaring system on an invalid date, February 31. Dubbed CronRAT by cybersecurity researchers at Sansec, the malware was found lurking on multiple online stores just ahead of the Black Friday online shopping extravaganza. “CronRAT’s main feat…
