Security researchers have discovered a new remote access trojan (RAT) for Linux systems, which maintains an almost invisible profile by hiding tasks scheduled to run on a non-existent day, February 31st.
By name CronRAT, malware is currently targeting web stores and allowing intruders to steal credit card data by deploying online payment skimmers on Linux servers.
CronRAT, which is highly inventive and sophisticated, is not detected by many antivirus machines.
The Linux task scheduling system, cron, is abused, thus allowing scheduling tasks to be performed on non-existent calendar days, such as February 31st.
The cron Linux system accepts date specifications as long as they are valid, even if the day is not in the calendar. This means that the scheduled task will not be executed.
CronRAT is based on this to achieve its goal. According to a report by the Dutch cybersecurity company Sansec, the Linux trojan hides a "Bash advanced program" in the names of scheduled tasks.
«CronRAT adds a number of tasks to crontab with a strange date specification: 52 23 31 2 3. These lines are syntactically valid, but will generate a runtime error during execution. However, this will never happen as they are scheduled to run on February 31stSansec researchers explain.
The code includes commands for self-destruction, timing configuration, and a custom protocol that allows communication with a remote server.
The researchers note that the trojan comes into contact with a command and control server (C2) (18.104.22.168) using a "Linux kernel feature that allows TCP communication over a file».
Additionally, the connection is made via TCP through port 443, using a fake banner for the Dropbear SSH service, which also helps the malware to remain hidden.
After communicating with server C2, the disguise is revealed, it sends and receives many commands and receives a malicious library. At the end of these exchanges, intruders behind CronRAT can execute any command on the compromised system.
Sansec describes the new malware as "a serious threat to Linux e-commerce servers", Due to its capabilities:
- Execution without file
- Timing configuration
- Violation control sums
- It is controlled via a binary, fuzzy protocol
- Launches the tandem RAT on a separate Linux subsystem
- Control server disguised as a "Dropbear SSH" service.
- The payload is hidden in legitimate CRON scheduled job names
All of these features make CronRAT virtually undetectable. Sansec notes that CronRAT's new execution technique also bypassed the eComscan detection algorithm, and researchers had to rewrite it to discover the new threatening.