CronRAT
A sophisticated malware threat that employs innovative techniques to mask its nefarious actions has been identified by the researchers at a Dutch cyber-security company. Named CronRAT, the threat is classified as a RAT - Remote Access Trojan. It targets Web stores and provides the attackers with the means to inject online payment skimmers onto the compromised Linux servers. Ultimately, the goal of the hackers is to obtain credit card data that can later be exploited. The numerous evasion techniques employed by the threat make it nearly undetectable.
Technical Details
The standout characteristic of CronRAT is the way it abuses the Linux task scheduling system (cron) to hide a sophisticated Bash program. The malware injects several tasks to crontab that have a valid format so the system accepts them. These tasks will result in a run time error when executed but that will not happen because they are scheduled to run on non-existent dates, such as February 31st. The corrupted code of the threat is hidden in the names of these scheduled tasks.
After peeling several levels of obfuscation, infosec researchers were able to uncover commands for self-destruction, timing modifications, and a custom-built protocol for communication with the attackers' Command-and-Control server (C2, C&C). The contact with the remote server is achieved via an obscure feature of the Linux kernel that allows TCP communications through a file. In addition, the connection is carried over TCP via port 443 pretending to be a Dropbear SSH service. Ultimately, the attackers will be able to execute arbitrary commands on the breached systems.
Conclusion
CronRAT is considered a severe threat to Linux eCommerce servers due to its threatening capabilities. The threat has detection-evasion techniques, such as fileless execution, timing modulation, the use of a binary, obfuscated protocol, the use of legitimate CRON scheduled task names to hide payloads and more. In practice, it is virtually undetectable and special measures may need to be implemented to safeguard their targeted Linux servers.
