CronRAT, the e-commerce malware

Experts have identified a new Linux RAT that was dubbed “CronRAT”. It stands out through its hiding place, as it can be found in different tasks which have a schedule-timeline for February 31st, a day, that of course, does not exist.

CronRAT keeps a low profile for the moment, being almost invisible and its targets seem to be web stores. Hackers engage in deployment on Linux servers of online payment skimmers with the final goal of performing credit card info theft.


What is CronRAT?

CronRAT is the remote access trojan (RAT) for Linux that hides in the operating system’s scheduled tasks to run on February 31, a date that does not exist.

CronRAT is a malware that currently targets online stores and allows attackers to steal credit card information by installing online payment skimmers on Linux servers.

It has been recognized on several MageCart servers around the world, characterized by inventiveness and cunning, and is still unknown by almost all antivirus engines.

CronRAT exploits a vulnerability in the scheduling system of the Open Source OS, called cron, which does not prohibit scheduling activities in days that do not exist in the calendar, such as February 31st.

In fact, even if it is a non-existent day in the calendar, the Linux cron system respects the date requirements as long as they have a correct format, which implies that the scheduled work will not run, but at the same time it will not cause the service to fail cron, as long as the format is correctly expressed.


How CronRAT works

In the observed cases, the payloads are in fact reported in the crontab file with date expressions such as: 52 23 31 2 3 (actually syntactically correct, but logically impossible to execute).

CronRAT relies on this to maintain its anonymity.

According to research published by Sansec, CronRAT hides a “sophisticated bash program” in the titles of the scheduled tasks on the crontab file.

The payloads (hidden in the names of the activities scheduled in non-existent days) are obfuscated with multiple levels of compression and Base64 encoding.

In addition, the code, during the study, has been cleaned of the different levels of compression and appears to contain commands for temporal modulation, self-destruction and a custom protocol for communication.

The researchers found that the malware communicates with a command and control (C2) server using an unusual feature of the Linux kernel that allows TCP connection via a file that the researchers themselves have called “exotic”.

Furthermore, the malware uses a bogus banner for the Dropbear SSH service to connect via TCP through port 443, which helps it to go undetected.

After accessing the command and control server, it sends and receives various commands and obtains a malicious dynamic library.

CronRAT attackers can then execute any command on the compromised machine after these exchanges are finished.

As reported in Sansec’s analysis, CronRAT’s groundbreaking execution approach also bypassed the researchers’ detection algorithm, eComscan, and had to tweak it to identify the new threat.

According to the report’s authors, CronRAT has been identified on a large number of Internet sites dedicated to e-commerce.


How to protect yourself from CronRAT

As this is a new and previously unknown threat, the researchers themselves report that CronRAT belongs to a subject yet to be explored, for which many characteristics are not clear and which will certainly require further investigation.

For example, it is not clear how the infection occurs. It is being studied whether existing vulnerabilities of MageCart can be exploited, whether it is necessary to exploit actions by the end-user (perhaps unaware and involved with social engineering techniques) or whether it is necessary to obtain physical access instead to the Linux server.

In any case, it is a research in progress, which will open new scenarios in the security of e-commerce applications, or in any case of those systems that deal with credit card codes and payment data.