Register now for better personalized quote!

This stealthy malware hides behind an impossible date

Nov, 26, 2021 Hi-network.com

Security researchers have discovered new remote access trojan (RAT) malware that has created an unusual new way of hiding on servers.

As first reported on BleepingComputer, this new malware, dubbed CronRAT, hides in scheduled tasks on Linux servers by being set for execution on February 31, a date that doesn't exist. 

Recommends

  • Best VPN services
  • Best security keys
  • Best antivirus software
  • The fastest VPNs

Discovered and named by e-commerce security specialist Sansec, CronRAT is part of a growing trend in Linux server-focused Magecart malware. CronRAT is used to enable server-side Magecart data theft.

SEE:A winning strategy for cybersecurity(ZDNet special report)

The security company describes the malware as "sophisticated" and it remains undetected by most antivirus vendors. Sansec had to rewrite its detection engine to spot the malware after receiving samples of it to discover how it works. 

The name CronRAT is a reference to the Linux cron tool that allows admins to create scheduled jobs on a Linux system to occur on a specific time of day or a regular day of the week.   

"CronRAT's main feat is hiding in the calendar subsystem of Linux servers ("cron") on a nonexistant day. This way, it will not attract attention from server administrators. And many security products do not scan the Linux cron system," explain Sansec in a blogpost. 

The malware drops a "sophisticated Bash program that features self-destruction, timing modulation and a custom binary protocol to communicate with a foreign control server," says Sansec. 

Magecart card skimmers are a problem that's not going away any time soon as e-commerce continues to play a vital role in shopping during the ongoing pandemic. Ahead of Black Friday, the National Cyber Security Centre (NCSC) warned it had found 4,151 retailers that had been compromised by hackers targeting bugs in checkout pages over the past 18 months. Most of the attacks targeted bugs in popular e-commerce platform Magento. The FBI last year issued a similar warning about Magecart attackers targeting a Magento plugin.

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Hot Tags : Tech Security

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.