[MART] - Daily Diary #398 - Meet CronRAT, A New Linux Malware

CTAS-MAT ctas-mat at appgate.com
Thu Nov 25 21:20:59 UTC 2021 

Hello,

I hope everyone is doing well!

Below is the entry for today.

11/25/2021 - Diary entry #398:


CronRAT is a new Remote Access Trojan targeting Linux OS and undetected by all antiviruses engines at the time of this writing. Packed and heavily obfuscated, CronRAT hides its execution payload in the Linux calendar system (CRON) on February 31st. Since it is not a valid date, the cron job is never executed. It's just an attempt to not attract attention from server administrators.


The actual malware code is hidden in the task names and is constructed using layers of compression and base64 decoding. Once executed, it has the capability of self-destruction, timing modulation, anti-tampering checksums, and a custom protocol established with its C2, via port 443, using a fake banner for the Dropbear SSH service. As soon as the communication is established, it can execute any command on the compromised system.


CronRAT is used during Magecart attacks, which are data skimming attacks targeting eCommerce websites. The threat actor must gain access to the website, then skim (collect) the sensitive information and send it to a server controlled by the attackers.


Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20211125/838acae7/attachment.htm>

More information about the MART mailing list