Stealthy Malware Hiding Behind An Invalid Date
Security researchers at e-Commerce specialist security firm Sansec have discovered a new remote access trojan (RAT) for Linux, that keeps an almost invisible profile by hiding in tasks scheduled for execution on a non-existent day on February 31.
This new malware, dubbed CronRAT, hides in scheduled tasks on Linux servers by being set for execution, on the date that doesn't exist.
A highly sophisticated malware targeting online stores, CronRAT is undetected by many antivirus engines.
Discovered and named by e-commerce security specialist Sansec, CronRAT is part of a growing trend in Linux server-focused Magecart malware. CronRAT is used to enable server-side Magecart data theft. The malware goes undetected by most antivirus vendors and Sansec first reconfigured its detection engine to spot the malware after receiving samples of it to discover how it works. “Digital skimming is moving from the browser to the server and this is yet another example. Most online stores have only implemented browser-based defenses, and criminals capitalise on the unprotected back-end. Security professionals should really consider the full attack surface,” commented Sansec Director of Threat Research, Willem de Groot.
The name CronRAT is a reference to the Linux cron tool that allows admins to create scheduled jobs on a Linux system to occur on a specific time of day or a regular day of the week.
According to Sansec, CronRAT's can hide itself in the calendar subsystem of Linux servers ("cron") on a non-existent day, enabling it to avoid attention from server administrators, as many security products do not scan the Linux cron system. The malware drops a "sophisticated Bash program that features self-destruction, timing modulation and a custom binary protocol to communicate with a foreign control server," says Sansec.
It certainly looks like Magecart payment card card skimmers are going to be a long-term problem for e-commerce system operators.
Sansec: Bleeping Computer: Oodaloop: ZDNet: Cybersecurity-Review:
You Might Also Read:
Old Magecart Domains Come Back To Life: