Security researchers have discovered a new type of remote access Trojan (RAT) malware that has created an unusual new way of hiding on servers.
As first reported on BleepingComputer, this new malware, called CronRAT, is hiding in scheduled tasks on Linux servers by setting it to run on February 31st, a date that doesn’t exist.
Discovered and named by e-commerce security specialist Sansec, CronRAT is part of a growing trend in Linux server-focused Magecart malware. CronRAT is used to enable server-side Magecart data theft.
SEE: A successful cybersecurity strategy (ZDNet special report)
The security company describes the malware as “mature” and remains undetected by most antivirus providers. Sansec had to rewrite its detection engine to detect the malware after receiving samples to see how it worked.
The name CronRAT is a reference to the Linux cron tool, which enables administrators to create scheduled jobs on a Linux system that run at a specific time of day or a regular day of the week.
“The main accomplishment of CronRAT is to hide in the calendar subsystem of Linux servers (” cron “) on a nonexistent day. That way, it will not attract the attention of server administrators. And many security products scan the Linux cron system not, “explains Sansec in a blog post.
The malware puts down a “sophisticated bash program that offers self-destruct, timing modulation, and a user-defined binary protocol for communicating with a third-party control server,” says Sansec.
Magecart card skimmers are a problem that is not going to go away anytime soon as e-commerce continues to play an important role in shopping during the ongoing pandemic. Ahead of Black Friday, the National Cyber Security Center (NCSC) warned it had found 4,151 retailers who had been compromised by hackers targeting errors in checkout pages in the past 18 months. Most of the attacks were aimed at bugs in the popular Magento e-commerce platform. The FBI issued a similar warning last year about Magecart attackers targeting a Magento plugin.