CronRAT Targets Linux eCommerce Servers
Linux systems are becoming a frequent target of cyberattacks. Of course, UNIX-based systems are much more secure compared to Windows, and this is one not all cybercriminals are able to develop and deploy such threats. One of the latest Linux-compatible malware families is dubbed CronRAT. As the name suggests, it is a Remote Access Trojan. But, what does it do?
How Does the CronRAT Go?
When the CronRAT infiltrates a computer successfully, it will enable its operators to modify specific files on the infected machine. The criminals seem to target mostly online shops, and they use the remote access to plant skimming code on payment and checkout pages. Although the servers of online stores are the primary target of the CronRAT for now, this is likely to change in the future.
One of the peculiar things about this malware is how it hides its code and components on the compromised machine. It creates a large number of cron jobs – Linux's scheduling system. However, they are all meant to run on a non-existent date – February 31st. The collection of the names of scheduled tasks is eventually deciphered to form a complicated script, which enables the execution of the CronRAT's modules. The Remote Access Trojan is able to operate in fileless mode, manage the file system, and receive remote commands from the attackers. Although it was initially able to evade certain Linux antivirus products, it is now detected by a large number of anti-malware engines. Administrators of Linux servers are advised to strengthen the security of their systems by using an up-to-date security application at all times.