Remote access malware is being used to attack eCommerce servers, and it hides on Nginx servers so that security solutions can’t detect it. NginRAT is a mix of the application it targets and the remote access capabilities it delivers. It is being used in server-side attacks to steal credit card data from online merchants.
NginRAT was discovered on eCommerce servers in North America and Europe infected with CronRAT, a remote access trojan (RAT) that conceals payloads in activities scheduled to run on an incorrect calendar day. NginRAT has infected servers located in the United States, Germany, and France, injecting into Nginx processes that are undetectable, allowing it to remain unnoticed.
According to researchers at security firm Sansec, the new malware is delivered CronRAT, even though both perform the same function: granting remote access to the attacked machine.
According to Willem de Groot, director of threat research at Sansec, while the two RATs appear to have the same job, they use entirely different approaches to preserve their secrecy. Whoever is behind these malware infections is using them to change server-side code to collect data from users (POST requests).
After developing a bespoke CronRAT and analyzing the interactions with the command-and-control server (C2) in China, Sansec investigated NginRAT. The researchers duped the C2 into transmitting and executing a rogue shared library payload as part of the typical harmful interaction, masking the NginRAT more complex malware.
“NginRAT essentially hijacks a host Nginx application to stay undetected. To do that, NginRAT modifies core functionality of the Linux host system. When the legitimate Nginx web server uses such functionality (eg dlopen), NginRAT intercepts it to inject itself” – Sansec
The remote access virus is embedded in the Nginx process so that it is practically hard to distinguish from a valid process at the conclusion of the process.
Sansec notes in a technical study released today that NginRAT is installed on a compromised machine using CronRAT’s proprietary “dwn” command, which downloads the malicious Linux system library to the “/dev/shm/php-shared” location.
The library is then run using Linux’s LD_PRELOAD debugging function, commonly used for testing system libraries. The threat actor likely inserted the “help” option numerous times towards the end to disguise the execution. Detecting NginRAT can be tricky since it masquerades as a normal Nginx process, and the code resides only in the server’s memory.
However, two variables, LD_PRELOAD and LD_L1BRARY_PATH, are used to launch the malware. Administrators can leverage the latter, which includes the “typo,” to show active malicious processes by issuing the command:
$ sudo grep -l LD_L1BRARY_PATH /proc/*/environ
/proc/17199/environ
/proc/25074/environ
If NginRAT is located on the server, Sansec advises admins to inspect the cron tasks since malware installed by CronRAT is quite likely to be hidden there.