Malware targeting Linux servers: CronRAT evades detection by cleverly hiding in tasks scheduled for execution on a non-existent date

Remote Access Trojan CronRAT Linux Malware Web Store Payment User Information Stealing Cron Jobs
New Linux malware targeting payment information on Web Stores. Pic credit: GotCredit/Flickr

New malware is using some simple loopholes to evade detection and continue stealing user data. The CronRAT malware is going after online stores to steal credit card and payment data.

Researchers have discovered a new Remote Access Trojan (RAT) that targets web stores running on Linux servers. The CronRAT malware has successfully fooled several antivirus engines and survives using a weird but effective technique.

CronRAT malware relies on Chron Jobs on Linux serves that are scheduled to execute on non-existent dates:

Many web admins and developers often assume the Linux Operating System is more secure and robust than Microsoft Windows Server Editions. Linux Servers far outnumber Windows Servers. And perhaps this is one of the reasons that threat actors are now increasingly going after non-Windows platforms.

Every Linux distribution, be it personal or server edition, comes with Cron. It is essentially the Task Scheduler for Linux Distros.

Strangely, the Linux Cron system accepts date specifications as long as they have a valid format. Simply put, even if the actual entered date does not exist on the calendar, Cron will accept the same if it is in the correct format.

Intentionally entering a non-existent date, such as February 31, ensures the Scheduled Task will never execute. However, the task and the malicious code inside the task will continue to reside on the server.

CronRAT abuses this weird anomaly in the Linux task scheduling system. A report today from Dutch cyber-security company Sansec explains that it hides a “sophisticated Bash program” in the names of the scheduled tasks.

“The CronRAT adds a number of tasks to crontab with a curious date specification: 52 23 31 2 3. These lines are syntactically valid, but would generate a run time error when executed. However, this will never happen as they are scheduled to run on February 31st.”

How does the new Linux malware infect servers and what information is it stealing?

Researchers have expressed surprise at the level of sophistication and ingenuity of the malware creators. The CronRAT malware, at its core, relies on a Bash Script.

However, the creators of the malware have reportedly taken a lot of pains to obfuscate the actual payload with multiple layers of compression and Base64 encoding.

After researchers cleaned up the code, they discovered the payload includes commands for self-destruction, timing modulation, and a custom protocol. Simply put, the Bash script has a timer, self-destruction protocol, as well as communication pathways to a remote server.

Interestingly, even the communication with the remote Command and Control server takes place using an “exotic feature of the Linux kernel that enables TCP communication via a file.”

Other researchers who have been following an identical malware, have discovered that CronRAT injects malicious scripts into the server’s configuration to steal payment card data.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x