NginRAT Hides In Nginx Processes

Cybercriminals often rely on a combination of malicious implants, even if their features tend to overlap. This appears the strategy that the creators of the newly spotted NginRAT use. Copies of this malware were recovered from eCommerce servers that were previously infected with the CronRAT sample. The latter is also fairly new, and it was first reported in the last week of November 2021. The NginRAT appears to target primarily eCommerce serves too, and it is active in North America and Europe.

NginRAT Disguises its Activity as the Nginx Process

The name NginRAT was selected because this Remote Access Trojan (RAT) appears to hijack the process name of the Nginx service. This is a simple trick to obfuscate itself, and make it more difficult to spot its presence – most administrators would not suspect an Nginx process to be dangerous.

While both the NginRAT and CronRAT have similar properties, it seems that the NginRAT was always delivered via the latter. Both payloads target eCommerce servers running Linux exclusively. It is likely that the criminals are exploiting weak login credentials, or vulnerabilities present in outdated Internet-facing services.

This Remote Access Trojan enables its operators to execute commands remotely, sending them through their command-and-control server. Since both payloads have identical features, it is likely that the NginRAT is meant to serve as a backup in case the primary payload is discovered. System administrators should protect their networks from the NginRAT and CronRAT payloads by using up-to-date security services and firewall. Of course, applying the latest updates for all software is also one of the best security measures to take.  

December 3, 2021

Cyclonis Backup

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.