CronRAT Malware Targets Linux Servers
Security researchers at Sansec have found a new stealth attack that targets Linux servers and uses a non-existent calendar day to stay off the radar. This RAT (Remote Access Trojan) masks the actions of the attack by using the date February 31 and targets Linux-based web stores to trigger online payment skimmer threats.
The new CronRAT attack can execute fileless malware, launch malware in separate subsystems, control servers disguised as Dropbear SSH services, hide payloads in legitimate cron tasks, and run anti-tampering commands. CronRAT bypasses browser-based security scans and has already been discovered in live online stores. The threat was injected into servers via a Magecart (payment skimming) attack.
This attack is made possible because cron only checks for a date format and not that the date of the task is legitimate. The crontab date specification for ConRAT is 52 23 31 2 3, which would generate a run time error upon execution. However, that runtime will never happen, because the date doesn't exist.
Once CronRAT is executed, it contacts a Command and Control (C2) server at IP address 47.115.46.167:443 using a fake banner for the Dropbear SSH service. The payloads of the commands are obfuscated with multiple layers of compression and Base64 encoding.
CronRAT is considered a serious threat to Linux eCommerce servers and has managed to bypass most detection algorithms. Sansec had to rewrite its algorithm to catch this dangerous threat.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.