CronRAT: New Linux Malware Hides in Cron Jobs with Invalid Dates

By Jasper MonroeLinux Commands

New Linux Malware CronRAT Hides in Cron Jobs with Invalid Dates

Researchers from the Dutch company Sansec have discovered a new remote access trojan (RAT) for Linux that evades detection by hiding in scheduled tasks set for non-existent dates—specifically, February 31. The malware, named CronRAT, primarily targets online stores, allowing attackers to steal credit card data and deploy web skimmers on Linux servers (a type of MageCart attack). Unfortunately, many security solutions simply “don’t see” CronRAT due to several unique features in its operation.

How CronRAT Works

CronRAT exploits the Linux cron job scheduling system, which allows tasks to be scheduled for calendar days that don’t actually exist, such as February 31. The cron system accepts these dates if they are in a valid format, even though the day itself doesn’t exist, and such a scheduled task will simply never be executed.

By taking advantage of this feature, CronRAT remains almost completely undetectable. According to Sansec’s report, the malware hides a “complex bash program” within the names of these scheduled tasks.

“CronRAT adds a number of tasks to the crontab with an unusual date specification: 52 23 31 2 3. These lines are syntactically correct, but will generate a runtime error if executed. However, this never happens, since the tasks are scheduled for February 31, which doesn’t exist.”

Obfuscation and Communication

The actual payload is obfuscated using multiple layers of compression and Base64 encoding. Researchers say this code includes commands for self-destruction, time modulation, and a custom protocol that allows communication with a remote server.

The malware is known to connect to a command-and-control (C&C) server (47.115.46.167) using an “exotic Linux kernel feature that enables TCP communication via a file.” Additionally, the connection is made over TCP port 443 using a fake banner for the Dropbear SSH service, which also helps the trojan remain undetected.

Threat to E-Commerce Servers

CronRAT has been found in many online stores worldwide, where it was used to inject special skimmer scripts that steal payment card data. Sansec describes the malware as “a serious threat to Linux-based eCommerce servers.”

The problem is made worse by the fact that CronRAT is almost invisible to security solutions. According to VirusTotal, 12 antivirus solutions were unable to process the malicious file at all, and 58 did not detect any threat in it.

Sources

  • Sansec Research

Leave a Reply