A new Trojan used to access a device remotely has been discovered by security researchers. It uses an unconventional method of hiding on servers.
BleepingComputer reports that this new malware, dubbed CronRAT, lurks in scheduled tasks on Linux servers. For this, he schedules tasks to be performed for February 31 … a date that does not exist.
Discovered and named by e-commerce security specialist Sansec, CronRAT is part of a growing trend in Magecart malware focused on Linux servers. CronRAT is used to enable Magecart data theft on the server side.
Sophisticated malware
Bleeping Computer describes the malware as “sophisticated”. Furthermore, it is not detected by most antivirus. Sansec had to rewrite its detection engine to spot the malware, after analyzing samples, to find out how it worked.
The name CronRAT refers to the Linux cron tool, which allows administrators to create scheduled tasks on a Linux system at a specific time of day or on a regular day of the week.
“The main exploit of CronRAT is to hide in the calendar subsystem of Linux servers (‘cron’) on a nonexistent date. That way, it doesn’t catch the attention of administrators. And many security products do not scan the Linux cron system ”, explains Sansec in a blog post.
The malware deposits a “sophisticated Bash program that includes self-destruct functions, time modulation and a custom binary protocol to communicate with a control server,” he says.
Magecart attacks are popular
Credit card data theft attacks, referred to as the “Magecart” attack, are a problem that is not going to go away any time soon, as e-commerce continues to play a critical role in purchases during the period. pandemic in progress.
Shortly before Black Friday, the US National Cyber Security Center (NCSC) warned that it had identified 4,151 online merchants whose business had been compromised by hackers targeting vulnerabilities in payment pages in the past 18 months. Most of the attacks targeted flaws in the popular Magento e-commerce platform.
Last year, the FBI issued a similar warning regarding Magecart attackers who targeted a Magento plugin.
Source : ZDNet.com
–
