Threat actors use CronRAT malware to target the E-commerce sector

January 11, 2022
Threat Actors CronRAT Malware Ecommerce Online Store Cron Tool Magecart

Recently, a new highly sophisticated and stealthy remote access trojan (RAT) malware has been revealed within cyberspace. It can hide on servers peculiarly – by using a nonexistent execution date which is February 31st, inside the Linux calendar subsystem. The malware, dubbed CronRAT, is one of the latest trends within Linux server-focused Magecart malware and is leveraged to permit Magecart’s server-side to be attacked by data theft.

Some e-commerce stores worldwide were reported to have already been affected by the CronRAT malware. Threat actors leverage the malware by attacking the servers of victims and injecting online payment skimmers into it.

Its tactic of hiding in tasks that are scheduled to be launched on an odd day, such as February 31st, enables them to stay undetected from the suspicious eyes of server admins. Being described as sophisticated by most security experts, the malware keeps itself undetected from several antivirus tools and vendors. One security vendor even had to rewrite its detection engine after collecting samples to spot and discover how it works entirely.

 

The CronRAT malware name was referenced from the Linux cron tool. It permits server admins to make scheduled workloads or tasks within the Linux system transpire on a targeted time and date or a specific day in a workweek.

 

According to a security expert, hiding inside a Linux server’s calendar subsystem using a nonexistent day is the malware’s main feature so that it can be undetected. Furthermore, many antivirus and security tools are not scanning the Linux cron system by default, making it simpler for the malware to perform its attacks.

Also, researchers explained that the malware launches a sophisticated Bash program with a self-destruction feature. It also has timing modulation and a custom binary protocol that the malware uses to communicate with an external control server.

Since the pandemic began, the market’s interest in the e-commerce industry has spiked that many threat actors, including Magecart card skimmers, have taken advantage of to execute their attacks. The National Cyber Security Centre (NCSC) advised many retailers, online and offline, to be extra cautious, especially during the holiday season.

NCSC discovered more than 4,000 retailers that threat actors have already attacked for the past 18 months. The checkout pages of e-commerce sites had been targeted in these attacks, including a popular e-commerce store Magento.

About the author

Leave a Reply