This stealthy malware hides behind an impossible date
Security researchers have found a new remote access trojan called CronRAT that hides in scheduled tasks on Linux servers. The RAT is set to execute on February 31, a date that does not exist. The trojan uses this tactic to avoid detection. CronRAT was discovered by security specialist Sansec and is likely part of a growing trend in Linux-focused Magecart malware. CronRAT is a tool used to enable server-side Magecart data theft.
Sansec described the malware as sophisticated, stating that it remains undetected by most antivirus vendors. According to the cybersecurity firm, it had to rewrite its detection engine to spot the malware after investigating how it works. CronRAT is a reference to the Linux cron tool, which allows admins to create scheduled jobs on a Linux system. The malware drops a Bash program that boasts features such as self-destruction, timing modulation, and a custom binary protocol.