What Is CronRAT?
CronRAT is a new sophisticated malware threat of the remote access trojan type, discovered just before this year’s Black Friday. The malware is packed with previously unseen stealth capabilities. It hides in the Linux calendar system on a particular, non-existent date, February 31st. Apparently, no security vendors recognize CronRAT, meaning that it will probably stay undetected on critical infrastructure for months.
What is CronRAT’s purpose?
The malware enables a server-side Magecart skimmer, thus circumventing browser-based security protection mechanisms.
The RAT was uncovered by Sansec researchers, who say that it is “present on multiple online stores,” including a large outlet. It is noteworthy that, because of the malware’s novel infrastructure, the firm had to rewrite one of its algorithms in order to detect in.
CronRAT Campaign Details
It is somewhat expected to expect a new piece of data-stealing, skimming malware right before Black Friday and the winter holidays. This time of the year is usually “packed” with attacks against eCommerce businesses.
Currently, the RAT is present on several online stores, one of which quite large. The malware is successfully hiding in the calendar subsystem of Linux servers (called “cron”) on a nonexistent day. Thanks to this clever trick, its operators will attract zero attention from server admins. Not to mention that most security products are not meant to scan the Linux cron system.
“CronRAT facilitates persistent control over an eCommerce server. Sansec has studied several cases where the presence of CronRAT lead to the injection of payment skimmers (aka Magecart) in server-side code,” the report noted.
Digital Skimming Moving to the Server
Sansec director of threat research Willem de Groot said that “digital skimming is moving from the browser to the server”. This tactic ensures threat actors that they won’t be detected, as most online stores only have browser-based defence. This way, cybercriminals “capitalize on the unprotected back-end. “Security professionals should really consider the full attack surface,” de Groot added.
It is crucial to highlight that CronRAT’s capabilities are a real threat to Linux eCommerce servers. Here is a list of the malware’s malicious capabilities, as per Sansec’s report:
- Fileless execution
- Timing modulation
- Anti-tampering checksums
- Controlled via binary, obfuscated protocol
- Launches tandem RAT in separate Linux subsystem
- Control server disguised as “Dropbear SSH” service
- Payload hidden in legitimate CRON scheduled task names
The researchers had to come up with an entirely new approach to detect the malware – “a specially crafted RAT client to intercept commands” – but this has led them to the discovery of another rather stealthy RAT. They say details are pending.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: