Home / Threat Intelligence bulletins / CronRAT Malware Uses Novel Stealth Technique


A strain of malware has been observed using a new technique to hide code. The CronRAT malware hides its payloads in the cron tab (Linux’s task scheduler). However, unlike a traditional scheduled task, CronRAT entries use non-existent dates (such as February 31st) to prevent the task from ever being triggered. The payload is stored in the name of the task, hidden behind layers of obfuscation.


Linux servers infected with CronRAT were seen to be injecting Magecart payloads into their webpages that could then steal credit card info from users of the site.

Vulnerability Detection

Check the contents of /etc/cron

Affected Products

Linux eCommerce servers

Containment, Mitigations & Remediations

The Remote Access Trojan (RAT) connects over TCP using the little-known Linux kernel feature that allows TCP connections via file. A good detection would be to monitor for use of anything under ‘/dev/tcp/’

Indicators of Compromise

Threat Landscape

Financial crime targeting consumers is common around the run up to Christmas, and Magecart is a common tool used for this. Magecart works like a digital credit card skimmer. Malicious JavaScript code is injected into the payment page of a legitimate website and then a copy of the card details gets sent to the attacker during a purchase.

Mitre Methodologies

T1564 – Hide Artifacts

Further Information

CronRAT malware hides behind February 31st