A new remote access trojan (RAT) for Linux has been discovered that uses a clever stealth technique to evade detection by hiding in tasks scheduled for execution on a non-existent calendar day, February 31.

First spotted by the Dutch cybersecurity firm Sansec, the malware dubbed “CronRAT” hides in the Linux calendar system and enables server-side Magecart data theft which bypasses browser-based security solutions.

Sansec says it found CronRAT to be present on multiple online stores, including an undisclosed “nation’s largest outlet”.

“CronRAT’s main feat is hiding in the calendar subsystem of Linux servers (“cron”) on a nonexistant day. This way, it will not attract attention from server administrators. And many security products do not scan the Linux cron system,” the researchers said.

The malware’s stealthy capabilities include:

• Fileless execution

• Timing modulation

• Anti-tampering checksums

• Controlled via binary, obfuscated protocol

• Launches tandem RAT in separate Linux subsystem

• Control server disguised as “Dropbear SSH” service

• Payload hidden in legitimate CRON scheduled task names

“The CronRAT adds a number of tasks to crontab with a curious date specification: 52 23 31 2 3. These lines are syntactically valid, but would generate a run time error when executed. However, this will never happen as they are scheduled to run on February 31st. Instead, the actual malware code is hidden in the task names and is constructed using several layers of compression and base64 decoding,” Sansec explains.

CronRAT, described as a “sophisticated Bash program”, implements a custom binary protocol with random checksums, to avoid detection by firewalls and packet inspectors. It also comes with commands for self-destruction, timing modulation, and a custom protocol that allows communication with a remote server. When communicating with its command-and-control server, the malware uses an “exotic feature of the Linux kernel that enables TCP communication.”

The researchers note that all these features allow CronRAT’s operators to run any code on the compromised system.

“Digital skimming is moving from the browser to the server and this is yet another example. Most online stores have only implemented browser-based defenses, and criminals capitalize on the unprotected back-end. Security professionals should really consider the full attack surface," Sansec's Director of Threat Research, Willem de Groot, said.