A new RAT is parading around the cyber world, which is highly sophisticated and packed with new stealth techniques. It hides in the Linux calendar sub-system as a task that has a nonexistent date viz. February 31.
What has been discovered
CronRAT was discovered infecting various online stores around the world, including the largest outlet in one country.
- The malware hides in tasks scheduled for execution on days so that it can help hackers stay under the radar from server administrators.
- In most of the occurrences, it was leveraged to inject online payment skimmers on a victim’s server.
How does it work?
CronRat abuses the Linux CRON scheduled task names subsystem of Linux servers to remain hidden.
- The payloads are obfuscated with multiple layers of compression and Base64 encoding. Moreover, the code has commands for timing modulation, self-destruction, and a custom protocol for communication.
- The malware contacts a C2 server (47[.]115[.]46[.]167) using a feature of the Linux kernel that allows TCP communication using a file.
- The connection is established over TCP using port 443 via a fake banner for the Dropbear SSH service. This further helps the malware to stay hidden.
- After reaching a C2 server, it sends and receives numerous commands and obtains a malicious dynamic library. Moreover, the operators can execute any command on the infected system.
- Several abilities, such as fileless execution, timing modulation, anti-tampering checksums, controlled via binary, obfuscated protocol, and others make CronRAT virtually undetectable.
Conclusion
Cybercriminals are now developing sophisticated malware such as CronRAT to steal information from web stores. The stolen information can be sold online for illicit money or may be used in future attacks. Therefore, organizations are suggested to invest more in data protection solutions to secure sensitive information.
Source: https://cyware.com/news/cronrat-abuses-linux-task-scheduler-to-stay-under-the-radar-ebac80c4