26 November 2021

CronRAT: New Linux malware that hides behind February 31 to stay undetected


CronRAT: New Linux malware that hides behind February 31 to stay undetected

A new remote access trojan (RAT) for Linux has been discovered that uses a clever stealth technique to evade detection by hiding in tasks scheduled for execution on a non-existent calendar day, February 31.

First spotted by the Dutch cybersecurity firm Sansec, the malware dubbed “CronRAT” hides in the Linux calendar system and enables server-side Magecart data theft which bypasses browser-based security solutions.

Sansec says it found CronRAT to be present on multiple online stores, including an undisclosed “nation’s largest outlet”.

“CronRAT’s main feat is hiding in the calendar subsystem of Linux servers (“cron”) on a nonexistant day. This way, it will not attract attention from server administrators. And many security products do not scan the Linux cron system,” the researchers said.

The malware’s stealthy capabilities include:

  • Fileless execution

  • Timing modulation

  • Anti-tampering checksums

  • Controlled via binary, obfuscated protocol

  • Launches tandem RAT in separate Linux subsystem

  • Control server disguised as “Dropbear SSH” service

  • Payload hidden in legitimate CRON scheduled task names

“The CronRAT adds a number of tasks to crontab with a curious date specification: 52 23 31 2 3. These lines are syntactically valid, but would generate a run time error when executed. However, this will never happen as they are scheduled to run on February 31st. Instead, the actual malware code is hidden in the task names and is constructed using several layers of compression and base64 decoding,” Sansec explains.

CronRAT, described as a “sophisticated Bash program”, implements a custom binary protocol with random checksums, to avoid detection by firewalls and packet inspectors. It also comes with commands for self-destruction, timing modulation, and a custom protocol that allows communication with a remote server. When communicating with its command-and-control server, the malware uses an “exotic feature of the Linux kernel that enables TCP communication.”

The researchers note that all these features allow CronRAT’s operators to run any code on the compromised system.

“Digital skimming is moving from the browser to the server and this is yet another example. Most online stores have only implemented browser-based defenses, and criminals capitalize on the unprotected back-end. Security professionals should really consider the full attack surface," Sansec's Director of Threat Research, Willem de Groot, said.

Back to the list

Latest Posts

The story of the four bears: Brief analysis of APT groups linked to the Russian government

The story of the four bears: Brief analysis of APT groups linked to the Russian government

In “The Four Bears” series we will tell you about the APT groups known as Fancy Bear, Cozy Bear, Voodoo Bear, and Berserk Bear.
17 January 2022
Cybersecurity year in review: Most notable APT hacks of 2021

Cybersecurity year in review: Most notable APT hacks of 2021

In 2021 nation-state actors somewhat faded into the background, but they still pose a significant threat.
17 January 2022
Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

The attackers exploited the Log4Shell vulnerability on ONUS’ Cyclos server to plant backdoor and exfiltrate data.
30 December 2021