NginRAT

Cybercriminals are deploying a new Remote Access Trojan (RAT) threat named NginRAT in attacks against eCommerce servers. The goal of the threatening operation is to collect payment card information from compromised online stores. So far, victims of NginRAT have been identified in North America, Germany and France. 

The evasion techniques employed by NginRAT make it extremely hard to be caught by security solutions. The threat hijacks the host's Nginx application by modifying the core functionality of the Linux host system. More specifically, whenever the legitimate Nginx Web server executes a functionality, such as dlopen, NginRAT intercepts it and injects itself. As a result, the RAT becomes indistinguishable from a legitimate process. 

According to the security company that analyzed the NginRAT threat, there is a way to show the compromised processes. The threat uses LD_L1BRARY_PATH (with a typo) so the researchers recommend running the following command:

$ sudo grep -al LD_L1BRARY_PATH /proc/*/environ | grep -v self/

/proc/17199/environ

/proc/25074/environ

They also discovered that NginRAT was delivered to the targeted servers by another RAT malware named CronRAT. The two threats fulfill the same role - providing backdoor access to the infected machine, but they rely on different methods. For example, CronRAT hides its corrupted code in valid scheduled tasks that will never be executed because they are set to run on non-existent dates such as February 31. 

Because both threats have been observed to be present at the same time, if NginRAT is found on a server, administrators also should check the cron tasks for signs of a corrupted code that might be hidden there by CronRAT.