CronRat is a new Linux trojan that hides in the scheduled tasks. The execution date on February 31st is of course invalid, but many security programs fail to detect it.
Researchers at e-commerce security specialist Sansec have discovered a new Linux remote access Trojan (RAT) that has found an unusual way of hiding itself from most security applications on the affected servers. CronRAT, as the security researchers dubbed it, disguises itself as a planned task - with the execution date February 31. Because this date is of course invalid and does not exist, the malware manages to escape the attention of most antivirus programs.
CronRat - Remote Access Trojan
The security researchers have examined how CronRAT works. The result shows that the Trojan is exploiting the cron tool on Linux servers. Network administrators can use it to schedule tasks at specific times, which are then carried out automatically. This tool is located in the Linux calendar subsystem. Since the day on which CronRAT is to be executed does not exist, the event is also not visible in the calendar for the admin. Since most security programs do not scan the cron system either, the Trojan is practically invisible. At Sansec, too, the detection engine first had to be rewritten before the Trojan could be detected.
CronRat - hidden invisibly in the calendar
Once on the server, the malware contacts a command and control server using an "exotic function of the Linux kernel that enables TCP communication via a file," the Sansec researchers explain. In the second step, the Trojan sends and receives several commands and retrieves a malicious dynamic library. At the end of this exchange, the attackers behind CronRAT can execute any command on the compromised system.
CronRAT is just one of many examples of the increasing threat posed by so-called Magecart attacks. Online shops are manipulated in order to steal customer payment data. CronRAT has also been discovered in several shops around the world - and it is by no means the only one trying to compromise legitimate online shops in this way. The FBI issued a warning against Magecart attacks last year, which the American National Cyber Security Center (NCSC) has now repeated. The security experts there had found 4.151 retailers in the run-up to Black Friday whose servers and checkout pages had been compromised by hackers in the past 18 months.
Magecart attacks target online shops
Even if Black Friday is over for this year, the threat of Magecart attacks will not decrease in the future. In particular, the rising number of Covid infections and the upcoming Christmas party should ensure that online retail continues to grow in the coming weeks and months - and with it the number of potential targets for Magecart attacks. It is difficult to protect against highly specialized malware such as CronRAT in particular, as technical solutions are not sufficient here. In the VirusTotal scanning service, 12 antivirus engines were unable to process the Trojan and 58 of them did not recognize it as a threat. Therefore, regular scans of the entire system for irregularities, no matter how insignificant, should be carried out.
More at 8com.de
About 8com The 8com Cyber Defense Center effectively protects the digital infrastructures of 8coms customers from cyber attacks. It includes security information and event management (SIEM), vulnerability management and professional penetration tests. It also offers the setup and integration of an Information Security Management System (ISMS) including certification according to current standards. Awareness measures, security training and incident response management round off the offer.