Cybersecurity analysts have discovered a remote access trojan (RAT) known as CronRAT that’s highly sophisticated due to its use of many techniques to avoid detection. For example, CronRAT resides in the Linux calendar as a task with a nonexistent date, meaning that the system will never execute it. CronRAT’s primary purpose is to retrieve data from web stores, although hackers may also use it to set up subsequent attacks by other types of malware.
A RAT, also known as creepware, is a type of malware that controls a target system through a remote network connection. This capability has many legitimate uses such as desktop sharing and remote administration, but the use of the term “RAT” connotes a malicious intent like stealing information. A RAT is typically installed as the payload of another Trojan and uses various techniques to prevent detection by the victim and security applications like antivirus software.
What we know so far
The Dutch cybersecurity firm Sansec Threat Research reported on November 24, 2021 that it had discovered CronRAT in many online stores throughout the world, including the largest ecommerce site in one county. This malware hides in tasks that are scheduled for execution on nonexistent days like February 31st, making it difficult for administrators to detect since the task never runs. In most of these cases, the attacker used CronRAT to inject an online payment skimmer into the server, which retrieves customer payment information from an infected system and relays it to the attacker.
How does it work?
CronRAT exploits cron, a command-line utility that schedules jobs for Unix-based operating systems like Linux. The trojans that deliver CronRAT to the target server use multiple layers of compression and Base64 encoding to obfuscate the payload. They also modulate the timing of the payload’s delivery, and the payload destroys itself once CronRAT has infected the server.
When CronRAT obtains the information it’s looking for, it contacts a command and control (C2) server controlled by the attacker via a custom protocol. This protocol establishes a connection with the C2 server on port 443 over TCP by using a fake banner for the Dropbear SSH service, helping CronRAT remain hidden from system administrators. Once the connection is made, CronRAT transfers a file containing the information of interest to the attacker by sending and receiving various commands with the C2 server. The transfer process also involves the use of a dynamic library containing malicious commands that CronRAT can execute on the infected system. Additional measures that make CronRAT virtually undetectable include fileless execution and anti-tampering checksums.
CronRAT is advanced malware that retrieves data from a server, typically payment information from web stores. The most common uses of this information are selling it for money or using it in future crimes such as identity theft. Analysts expect other malware to emulate CronRAT’s multi-layered approach to avoiding detection due to this method’s success. Businesses should therefore increase their investment in data protection solutions, especially ecommerce stores.