CronRAT is a new Linux malware set to strike on February 31st
Yes, you did read the headline correctly; security researchers have discovered a stealthy new remote access trojan (RAT) designed to attack Linux systems. Named CronRAT, the malware hides as a scheduled task and is configured to run on a non-existent date – February 31st.
Researchers from Sansec warn that CronRAT "enables server-side Magecart data theft which bypasses browser-based security solutions". This is something that is particularly concerning this Black Friday.
See also:
- Microsoft releases KB5007253 update to fix MSI issues and yet more printer problems in Windows
- Zero-day vulnerability could give an attacker admin access in Windows 11 and older
- You can now download a free Windows 11 Enterprise virtual machine from Microsoft
CronRAT is described as "a sophisticated threat that is packed with never-seen stealth techniques", and Sansec says that the way it operates means that it will not be recognized by other security firms for some time.
The company explains: "Sansec found CronRAT to be present on multiple online stores, among them a nation’s largest outlet. Because of its novel execution, we had to rewrite part of our eComscan algorithm in order to detect it. CronRAT is currently undetected by other security vendors".
The security firm continues:
CronRAT's main feat is hiding in the calendar subsystem of Linux servers ("cron") on a nonexistant day. This way, it will not attract attention from server administrators. And many security products do not scan the Linux cron system.
CronRAT facilitates persistent control over an eCommerce server. Sansec has studied several cases where the presence of CronRAT lead to the injection of payment skimmers (aka Magecart) in server-side code.
If you're wondering about the point of having malware configured to run on a date that does not exist, Sansec explains:
The CronRAT adds a number of tasks to crontab with a curious date specification: 52 23 31 2 3. These lines are syntactically valid, but would generate a run time error when executed. However, this will never happen as they are scheduled to run on February 31st. Instead, the actual malware code is hidden in the task names and is constructed using several layers of compression and base64 decoding.
The real payload of CronRAT is a "sophisticated Bash program that features self-destruction, timing modulation and a custom binary protocol to communicate with a foreign control server".
More information is available in Sansec's write-up.
Image credit: Sansec