How Sneaky Linux Malware Hides Behind Events Scheduled to Run on February 31

A rogue Linux calendaring program on an invalid date, February 31, was used by hackers to conceal a magecart malware.

CronRAT is a surveillance tool that quietly monitors everything you do on your computer and reports back to the attackers.

Researchers at Sansec discovered it lurking on numerous online retailers just days before Black Friday, when people everywhere were rushing to shop online for bargains.

“CronRAT’s main feat is hiding in the calendar subsystem of Linux servers (“cron”) on a nonexistant day. This way, it will not attract attention from server administrators. And many security products do not scan the Linux cron system,” share the researchers.

According to Sansec, many of these infections have occurred since the introduction of Magecart malware more than three months ago.

According to Sansec, numerous instances where CronRAT assisted the attackers in deploying magecart payment skimmers in server-side code on ecommerce platforms have been identified.

A fresh approach.

The Linux cron system can schedule jobs on any date as long as they have a valid format, according to Sansec. The attackers take advantage of this “feature” to install CronRAT on an invalid date.

The researchers point out that CronRAT hides a “complex Bash program” with various methods such as self-destruction, timing modulation, and a custom binary protocol to communicate with a foreign control server in order to conduct its malevolent activities without raising suspicion.

The malware establishes a TCP connection to the control server via another “exotic feature” of the Linux kernel that allows file-based TCP communication. It then takes several actions to establish a persistent backdoor on the targeted server, which essentially gives CronRAT operators access to run any code they wish on it.

“Digital skimming is moving from the browser to the server and this is yet another example. Most online stores have only implemented browser-based defenses, and criminals capitalize on the unprotected back-end. Security professionals should really consider the full attack surface,” suggests Willem de Groot, director of threat research, Sansec.

With these top firewall programs and services, you can batten down the hatches and ensure your computers are secure with these top endpoint protection solutions.