Liam Tung
| November 26, 2021
| Topic: Security
Why hackers are targeting web servers with malware and how to protect yours
Watch Now
Security researchers have discovered new remote access trojan (RAT) malware that has created an unusual new way of hiding on servers.
As first reported on BleepingComputer, this new malware, dubbed CronRAT, hides in scheduled tasks on Linux servers by being set for execution on February 31, a date that doesn’t exist.
Discovered and named by e-commerce security specialist Sansec, CronRAT is part of a growing trend in Linux server-focused Magecart malware. CronRAT is used to enable server-side Magecart data theft.
SEE: A winning strategy for cybersecurity (ZDNet special report)
The security company describes the malware as “sophisticated” and it remains undetected by most antivirus vendors. Sansec had to rewrite its detection engine to spot the malware after receiving samples of it to discover how it works.
The name CronRAT is a reference to the Linux cron tool that allows admins to create scheduled jobs on a Linux system to occur on a specific time of day or a regular day of the week.
“CronRAT’s main feat is hiding in the calendar subsystem of Linux servers (“cron”) on a nonexistant day. This way, it will not attract attention from server administrators. And many security products do not scan the Linux cron system,” explain Sansec in a blogpost.
The malware drops a “sophisticated Bash program that features self-destruction, timing modulation and a custom binary protocol to communicate with a foreign control server,” says Sansec.
Magecart card skimmers are a problem that’s not going away any time soon as e-commerce continues to play a vital role in shopping during the ongoing pandemic. Ahead of Black Friday, the National Cyber Security Centre (NCSC) warned it had found 4,151 retailers that had been compromised by hackers targeting bugs in checkout pages over the past 18 months. Most of the attacks targeted bugs in popular e-commerce platform Magento. The FBI last year issued a similar warning about Magecart attackers targeting a Magento plugin.
Security
Windows 10 is a security disaster waiting to happen. How will Microsoft clean up its mess?
This malware could threaten millions of routers and IoT devices
Costco customers complain of fraudulent charges, company confirms card skimming attack
Exchange Server bug: Patch immediately, warns Microsoft
Average ransomware payment for US victims more than $6 million
Microsoft Patch Tuesday: 55 bugs squashed, two under active exploit
Security TV
|
Data Management
|
CXO
|
Data Centers