Connect with us

Hi, what are you looking for?

Cyber Security

CronRAT Abuses Linux Task Scheduler to Stay Under the Radar

A new RAT is parading around the cyber world, which is highly sophisticated and packed with new stealth techniques. It hides in the Linux calendar sub-system as a task that has a nonexistent date viz. February 31.

What has been discovered

CronRAT was discovered infecting various online stores around the world, including the largest outlet in one country.

  • The malware hides in tasks scheduled for execution on days so that it can help hackers stay under the radar from server administrators. 
  • In most of the occurrences, it was leveraged to inject online payment skimmers on a victim’s server.

How does it work?

CronRat abuses the Linux CRON scheduled task names subsystem of Linux servers to remain hidden. 

  • The payloads are obfuscated with multiple layers of compression and Base64 encoding. Moreover, the code has commands for timing modulation, self-destruction, and a custom protocol for communication.
  • The malware contacts a C2 server (47[.]115[.]46[.]167) using a feature of the Linux kernel that allows TCP communication using a file.
  • The connection is established over TCP using port 443 via a fake banner for the Dropbear SSH service. This further helps the malware to stay hidden.
  • After reaching a C2 server, it sends and receives numerous commands and obtains a malicious dynamic library. Moreover, the operators can execute any command on the infected system.
  • Several abilities, such as fileless execution, timing modulation, anti-tampering checksums, controlled via binary, obfuscated protocol, and others make CronRAT virtually undetectable.

Conclusion

Cybercriminals are now developing sophisticated malware such as CronRAT to steal information from web stores. The stolen information can be sold online for illicit money or may be used in future attacks. Therefore, organizations are suggested to invest more in data protection solutions to secure sensitive information.

Source: https://cyware.com/news/cronrat-abuses-linux-task-scheduler-to-stay-under-the-radar-ebac80c4

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

A credit card stealing service is growing in popularity, allowing any low-skilled threat actors an easy and automated way to get started in the...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO