Sansec announced that the company has discovered a new and sophisticated threat targeting online stores. The malware, named “CronRAT”, is not currently recognized by other security vendors which means it will probably stay undetected in the coming months. CronRat steals server-side Magecart data by bypassing browser-based security solutions.
Hides in the calendar subsystem
Sansec announced that they have detected CronRAT on multiple online stores. The company also claims that one of these stores is among the nation’s largest outlets. To be able to detect the malware, Sansec had to rewrite a part of its eComscan algorithm.
CronRAT hides in the calendar subsystem of Linux servers (cron) on a nonexistent day, such as 31 February. The malware managed to stay undetected because most security products don’t scan this system and it is also hard to attract the attention of server administrators.
CronRAT’s stealth capabilities pose a serious threat to Linux eCommerce servers:
- Fileless execution
- Timing modulation
- Anti-tampering checksums
- Controlled via binary, obfuscated protocol
- Launches tandem RAT in separate Linux subsystem
- Control server disguised as “Dropbear SSH” service
- Payload hidden in legitimate CRON scheduled task names
Willem de Groot, Director of Threat Research of Sansec said,
« Digital skimming is moving from the browser to the server and this is yet another example. Most online stores have only implemented browser-based defenses, and criminals capitalize on the unprotected back-end. Security professionals should really consider the full attack surface. »