“CronRAT’s main feat is hiding in the calendar subsystem of Linux servers (“cron”) on a nonexistant day. This way, it will not attract attention from server administrators. And many security products do not scan the Linux cron system,” share the researchers.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
Sansec claims to have seen several instances where CronRAT had helped the attackers inject magecart payment skimmers in the server-side code on the ecommerce platforms.
Sansec explains that the attackers take advantage of the fact that the Linux cron system can schedule tasks on any date as long as it has a valid format. The attackers use this “feature” to insert CronRAT on an invalid date.
The researchers note that CronRAT hides a “sophisticated Bash program” that employs various techniques including self-destruction, timing modulation and a custom binary protocol to communicate with a foreign control server, in order to go about its malicious business without spooking admins.
When launched, the malware contacts the control server using another “exotic feature” of the Linux kernel that enables TCP communication via a file. It then performs several actions to create a persistent backdoor to the attacked server, which essentially allows CronRAT operators to run any code on the server.
“Digital skimming is moving from the browser to the server and this is yet another example. Most online stores have only implemented browser-based defenses, and criminals capitalize on the unprotected back-end. Security professionals should really consider the full attack surface,” suggests Willem de Groot, director of threat research, Sansec.