Security researchers identified a new remote access trojan (RAT) for Linux that hides in activities scheduled for execution on February 31st, which is a non-existent date. CronRAT is a piece of malware that presently targets web retailers and allows attackers to steal credit card information by installing online payment skimmers on Linux servers. CronRAT is malware for online retailers characterized by inventiveness and cunning, and it is undiscovered by several antivirus engines.
CronRAT uses the Linux task scheduling system cron, which allows jobs to be scheduled on days that do not exist on the calendar, like February 31st. Even if it is a non-existent day in the calendar, the Linux cron system respects date requirements as long as they have a proper format, which implies the scheduled job will not run. CronRAT relies on this to maintain its anonymity. According to research released today by Dutch cyber-security firm Sansec, it hides a “sophisticated Bash program” in the titles of scheduled jobs.
Multiple levels of compression and Base64 encoding are used to conceal the payloads. The code has been cleaned up and now contains timing modulation, self-destruction, and a custom protocol for communicating with a remote server. The researchers found that the malware communicates with a command and control (C2) server (126.96.36.199) using an unusual feature of the Linux kernel that allows TCP connection through a file. Moreover, the malware uses a bogus banner for the Dropbear SSH service to connect via TCP through port 443, which helps it stay undetected.
The disguise falls after accessing the C2 server, sends and receives multiple commands, and obtains a malicious dynamic library. CronRAT’s attackers can then perform any command on the compromised machine at the end of these exchanges. CronRAT’s revolutionary execution approach also circumvented the researchers’ detection algorithm, eComscan, and they had to modify it to identify the new threat, according to Sansec.