Application Security , Fraud Management & Cybercrime , Incident & Breach Response
Sneaky New Magecart Malware Hides in Cron Jobs
CronRAT Hides in Nonexistent Days in the Calendar Subsystem of Linux ServersA new remote access Trojan that uses a unique stealth technique to help it stay undetected on a victim's infrastructure and conceal a magecart-style malware has been uncovered.
See Also: Gartner Guide for Digital Forensics and Incident Response
Dubbed CronRAT, it hides in the Linux calendar subsystem as a task that has a nonexistent date, such as Feb. 31. The malware remains undetected by the security vendor and enables server-side Magecart data theft that bypasses browser-based security solutions, according to researchers at Dutch security firm Sansec.
"This is very concerning, having been discovered just after Black Friday and Cyber Monday, as well as before the upcoming busy Christmas shopping period, where many unsuspecting shoppers will likely move to online shopping due to the new variant of COVID-19, which may result in further restrictions limiting in-person shopping," says Joseph Carson, chief security scientist and advisory CISO at enterprise security firm ThycoticCentrify.
So far, Sansec has not directly tied this recently uncovered RAT to one particular Magecart group. And while it’s not clear who exactly is behind this malware, the report notes that its operators have created an unusual and sophisticated threat that is packed with never-before-seen stealth techniques.
Previously reported Magecart-style attacks describe a malicious skimming script injected into payment checkout pages, with credit card and personal information skimmed off and sent to a remote server, according to analysis by Trend Micro.
"This newly discovered malware uses a server-side magecart that skims credit cards, so the motive here is financial theft using stolen credit cards. The cybercriminals are targeting online retailers, and their victims will be the unsuspecting shoppers looking to get a good deal online. However, such good deals could likely turn into expensive, hidden charges," Carson says.
Technical Analysis
"CronRAT’s main feat is hiding in the calendar subsystem of Linux servers - or "cron" - on a nonexistent day. This way, it will not attract attention from server administrators. And many security products do not scan the Linux cron system," the researchers note. "CronRAT facilitates persistent control over an eCommerce server."
A cron job is used to set up and maintain software environments, which use cron to schedule jobs to run periodically at fixed times, dates or intervals.
The researchers also say that they analyzed several cases in which CronRAT was injecting Magecart payment skimmers in server-side code.
"Digital skimming is moving from the browser to the server, and this is yet another example. Most online stores have only implemented browser-based defenses, and criminals capitalize on the unprotected back-end. Security professionals should really consider the full attack surface," says Willem de Groot, director of threat research at Sansec.
The malware adds a cron command-line utility, also known as a cron job or a crontab, which is a job scheduler on Unix-like operating systems. The CronRAT adds various tasks to crontab with a curious date specification: 52 23 31 2 3. These lines are valid, but they generate a run time error when executed.
"However, this will never happen as they are scheduled to run on February 31st. Instead, the actual malware code is hidden in the task names and is constructed using several layers of compression and base64 decoding," the researchers say.
Moreover, the actual payload seen by the researchers is a "sophisticated" Bash program that has commands for timing modulation, self-destruction and a custom protocol to communicate with a foreign control server.
Once launched, the payload contacts a C2 server - 47[.]115[.]46[.]167 - using a unique feature of the Linux kernel that allows TCP communication using a file via port 443 on 47.115.46.167, an Alibaba-hosted IP that generates a fake banner for the Dropbear SSH service, which is a software package that provides a Secure Shell-compatible server and client. This helps the malware to stay under the radar.
Upon successful C2 connection, the payload sends and receives commands and obtains a malicious dynamic library, which helps the operator execute any command on the infected system.
CronRAT’s stealth capabilities include fileless execution, timing modulation and anti-tampering checksums, controlled via binary, obfuscated protocol, among others, to make it virtually undetectable.
Detecting CronRAT
Craig Rowland, founder and security researcher at Linux-focused security firm Sandfly Security, describes how the malware uses a bogus date, February 31st, inside of crontab to hide payload data. In tweets, he notes how it allows an obfuscated shell script to run and connect to a C2 server using a customized encrypted protocol.
The #cronrat malware is being reported as set to run on February 31st, but this is not correct. It is using crontab entries that are wrong simply to hold payload data so it is harder to find. Cron is just being used as a file folder vs. saving payload data in another area.
— Agentless Linux Security - Craig Rowland (@CraigHRowland) November 28, 2021
"The cron system was not meant to run the entries so the invalid date didn't matter. The cron entries were just being used to hold the malware data from observation by system administrators. The invalid date therefore was not meant to be parsed by the cron system but was just used for payload storage," Rowland says in his blog post. "I'll go over two ways to quickly check your systems for this malware. First is for the bogus date, that is obvious, but the better way is to flag cron commands that are excessively long to spot variants."
"It is critical that online retailers take proactive approaches to cybersecurity and look for indicators of compromise for CronRAT, while ensuring they check for any existence of this malware: a very sophisticated BASH script that takes several measures to remain hidden. Retailers should check their Linux systems to secure and harden them," Carson says. "Shoppers should always take precautions when shopping online: Never use a debit card for online purchases, always check your credit card statement for suspicious purchases and make sure to limit your card to an amount that would not make serious damage to your financial situation."
"Most people think of Linux systems as invulnerable to malware, but this isn’t true," says Ron Williams, PCI QSA Consultant of IT Governance Ltd. "The PCI DSS standard, which all entities who are handling/securing Cardholder Data should be complying with, offers excellent guidance and provides mitigation against such attacks. The installation of anti-malware software is a fundamental defense against such an attack as companies are constantly developing new signatures for such tools. The most modern packages can contain Host Intrusion Detection Systems (HIDS), which can use machine learning to identify a possible compromise not in the signature base."
"All servers handling cardholder data should have connections explicitly locked down by the firewall to prevent the RAT from being able to call home. Beyond that, making sure your devices, operating systems and software packages are always fully up to date with vendor security patches is essential. These may seem like simple, fundamental steps that a good number of organizations are already taking, but they are massively effective against RATs and other aggressive malware."