NginRAT Hides In Nginx Processes
Cybercriminals often rely on a combination of malicious implants, even if their features tend to overlap. This appears the strategy that the creators of the newly spotted NginRAT use. Copies of this malware were recovered from eCommerce servers that were previously infected with the CronRAT sample. The latter is also fairly new, and it was first reported in the last week of November 2021. The NginRAT appears to target primarily eCommerce serves too, and it is active in North America and Europe.
NginRAT Disguises its Activity as the Nginx Process
The name NginRAT was selected because this Remote Access Trojan (RAT) appears to hijack the process name of the Nginx service. This is a simple trick to obfuscate itself, and make it more difficult to spot its presence – most administrators would not suspect an Nginx process to be dangerous.
While both the NginRAT and CronRAT have similar properties, it seems that the NginRAT was always delivered via the latter. Both payloads target eCommerce servers running Linux exclusively. It is likely that the criminals are exploiting weak login credentials, or vulnerabilities present in outdated Internet-facing services.
This Remote Access Trojan enables its operators to execute commands remotely, sending them through their command-and-control server. Since both payloads have identical features, it is likely that the NginRAT is meant to serve as a backup in case the primary payload is discovered. System administrators should protect their networks from the NginRAT and CronRAT payloads by using up-to-date security services and firewall. Of course, applying the latest updates for all software is also one of the best security measures to take.