Sneaky Linux malware hides behind events scheduled to run on February 31

(Image credit: solarseven / Shutterstock)

Attackers have used a novel approach by hiding a magecart malware in the Linux calendaring system on an invalid date, February 31.

Dubbed CronRAT by cybersecurity researchers at Sansec, the malware was found lurking on multiple online stores just ahead of the Black Friday online shopping extravaganza. 

“CronRAT’s main feat is hiding in the calendar subsystem of Linux servers (“cron”) on a nonexistant day. This way, it will not attract attention from server administrators. And many security products do not scan the Linux cron system,” share the researchers.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

Sansec claims to have seen several instances where CronRAT had helped the attackers inject magecart payment skimmers in the server-side code on the ecommerce platforms

Novel approach

Sansec explains that the attackers take advantage of the fact that the Linux cron system can schedule tasks on any date as long as it has a valid format. The attackers use this “feature” to insert CronRAT on an invalid date. 

The researchers note that CronRAT hides a “sophisticated Bash program” that employs various techniques including self-destruction, timing modulation and a custom binary protocol to communicate with a foreign control server, in order to go about its malicious business without spooking admins.

When launched, the malware contacts the control server using another “exotic feature” of the Linux kernel that enables TCP communication via a file. It then performs several actions to create a persistent backdoor to the attacked server, which essentially allows CronRAT operators to run any code on the server.

“Digital skimming is moving from the browser to the server and this is yet another example. Most online stores have only implemented browser-based defenses, and criminals capitalize on the unprotected back-end. Security professionals should really consider the full attack surface,” suggests Willem de Groot, director of threat research, Sansec.

Batten down the hatches with the help of these best firewall apps and services, and ensure your computers are protected with these best endpoint protection tools.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.