CronRAT Malware Targets Linux Servers

Security researchers at Sansec (https://sansec.io/research/cronrat) have found a new stealth attack that targets Linux servers and uses a nonexistent calendar day to stay off the radar. This Remote Access Trojan (RAT) masks the actions of the attack by using the date February 31 and targets Linux-based web stores to trigger online payment skimmer threats.

The new CronRAT attack can execute fileless malware, launch malware in separate subsystems, control servers disguised as Dropbear SSH services, hide payloads in legitimate cron tasks, and run anti-tampering commands. CronRAT bypasses browser-based security scans and has already been discovered in live online stores. The threat was injected into servers via a Magecart (payment skimming) attack.

This attack is made possible because cron only checks for a date format and not that the date of the task is legitimate. The crontab date specification for CronRAT is 52 23 31 2 3, which would generate a runtime error upon execution. However, that runtime will never happen, because the date doesn't exist.

Once CronRAT is executed, it contacts a Command and Control (C2) server at IP address 47.115.46.167:443 using a fake banner for the Dropbear SSH service. The payloads of the commands are obfuscated with multiple layers of compression and Base64 encoding.

CronRAT is considered a serious threat to Linux e-commerce servers and has managed to bypass most detection algorithms. Sansec had to rewrite its algorithm to catch this dangerous threat.