Sneaky Linux malware hides behind events scheduled to run on February 31

Tackling such malware requires a holistic approach to security, researchers claim

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Attackers have used a novel approach by hiding a magecartmalwarein theLinuxcalendaring system on an invalid date, February 31.

Dubbed CronRAT bycybersecurityresearchers at Sansec, the malware was found lurking on multipleonline storesjust ahead of theBlack Fridayonline shopping extravaganza.

“CronRAT’s main feat is hiding in the calendar subsystem of Linux servers (“cron”) on a nonexistant day. This way, it will not attract attention from server administrators. And many security products do not scan the Linux cron system,”sharethe researchers.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

Sansec claims to have seen several instances where CronRAT had helped the attackers inject magecart payment skimmers in the server-side code on theecommerce platforms.

Novel approach

Novel approach

Sansec explains that the attackers take advantage of the fact that the Linux cron system can schedule tasks on any date as long as it has a valid format. The attackers use this “feature” to insert CronRAT on an invalid date.

The researchers note that CronRAT hides a “sophisticated Bash program” that employs various techniques including self-destruction, timing modulation and a custom binary protocol to communicate with a foreign control server, in order to go about its malicious business without spooking admins.

When launched, the malware contacts the control server using another “exotic feature” of the Linux kernel that enables TCP communication via a file. It then performs several actions to create a persistent backdoor to the attacked server, which essentially allows CronRAT operators to run any code on the server.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“Digital skimming is moving from the browser to the server and this is yet another example. Most online stores have only implemented browser-based defenses, and criminals capitalize on the unprotected back-end. Security professionals should really consider the full attack surface,” suggests Willem de Groot, director of threat research, Sansec.

Batten down the hatches with the help of thesebest firewall apps and services, and ensure your computers are protected with thesebest endpoint protection tools.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics

This new phishing strategy utilizes GitHub comments to distribute malware

Smeg Combi Steam Oven review: a multi-functional countertop oven that looks stunning and cooks well