Also, many security products do not scan the Linux cron system. Sansec claims to have seen multiple cases where CronRAT helped attackers inject the Magecart payment skimmer into the server-side code of e-commerce platforms.
The attackers used a novel approach to hide the Magecart malware in the Linux calendar system on the invalid date of February 31st. Dubbed his CronRAT by a Sansec cybersecurity researcher, the malware was spotted on multiple online stores just before the Black Friday online shopping frenzy. “CronRAT’s main function is to hide in the Linux server’s calendar subsystem (“Cron”) on nonexistent days. That way it won’t attract the attention of the server admin.
On startup, the malware connects to its control server through another “exotic feature” in the Linux kernel that allows TCP communication through files. It then performs multiple actions to create a persistent backdoor to the compromised server, essentially allowing the CronRAT operator to execute arbitrary code on the server.
Sansec explains that the attackers are taking advantage of the fact that the Linux cron system can schedule tasks on any date, as long as it’s in a valid format. Attackers use this “feature” to insert her CronRAT on invalid dates. Researchers note that CronRAT hides a “sophisticated bash program”. The program uses various techniques such as self-destruction, timing adjustments, and custom binary protocols to communicate with an externally controlled server to do its malicious business without frightening the administrator.
“Digital skimming is moving from the browser to the server, and this is another example. Most online stores only implement browser-based defenses, and criminals exploit unprotected backends. Security professionals need to seriously consider the entire attack surface,” said Willem de Groot, director of threat research at Sansec.