Get in Touch
Please get in touch using the form below.
CronRAT Malware Uses Novel Stealth Technique
Overview
A strain of malware has been observed using a new technique to hide code. The CronRAT malware hides its payloads in the cron tab (Linux’s task scheduler). However, unlike a traditional scheduled task, CronRAT entries use non-existent dates (such as February 31st) to prevent the task from ever being triggered. The payload is stored in the name of the task, hidden behind layers of obfuscation.
Impact
Linux servers infected with CronRAT were seen to be injecting Magecart payloads into their webpages that could then steal credit card info from users of the site.
Vulnerability Detection
Check the contents of /etc/cron
Affected Products
Linux eCommerce servers
Containment, Mitigations & Remediations
The Remote Access Trojan (RAT) connects over TCP using the little-known Linux kernel feature that allows TCP connections via file. A good detection would be to monitor for use of anything under ‘/dev/tcp/’
Indicators of Compromise
47.115.46.167
Threat Landscape
Financial crime targeting consumers is common around the run up to Christmas, and Magecart is a common tool used for this. Magecart works like a digital credit card skimmer. Malicious JavaScript code is injected into the payment page of a legitimate website and then a copy of the card details gets sent to the attacker during a purchase.
Mitre Methodologies
T1564 – Hide Artifacts
Further Information
CronRAT malware hides behind February 31st