Over 10 years we help companies stay secure. Cyberium Converged Solutions is a values-driven technology cybersecurity solution provider.



A28 Kifaru (Kofisi) , Nyagumi Road, Nairobi

US +1 9808002188 KEN +254723398599

Cybersecurity Threat Security Vulnerabilities
CronRAT Malware Targets Linux Servers

CronRAT Malware Targets Linux Servers

Security researchers at Sansec (https://sansec.io/research/cronrat) have found a new stealth attack that targets Linux servers and uses a non-existent calendar day to stay off the radar.

This Remote Access Trojan (RAT) masks the actions of the attack by using the date February 31 and targets Linux-based web stores to trigger online payment skimmer threats.

The new ·CronRAT attack can execute fileless malware,. launch malware in separate subsystems, control servers disguised as Dropbear SSH services, hide payloads in legitimate cron tasks, and run anti-tampering commands. CronRAT bypasses browser-based security· scans and has already been discovered in live on­ line stores. The threat was injected into servers via a Magecart (payment skimming) attack.

This attack is made possible because cron only checks for a date format and not that the date of the task is legitimate. The crontab date specifcation for CronRAT is 52 23 31 2 3,. which would generate a runtime error upon execution. However, that runtime will never happen, because the data doesn’t exist.

Once CronRAT is executed, it contacts a Command and Control (C2) server at IP address using a fake banner for the Dropbear SSH service. The payloads of the commands are obfuscated with multiple layers of compression and Base64 encoding.

CronRAT is considered a serious threat to Linux e-commerce servers and has managed to bypass most detection algorithms. Sansec had to rewrite its algorithm to catch this dangerous threat.



Leave a comment

Your email address will not be published. Required fields are marked *