Sneaky Linux malware hides behind events scheduled to run on February 31

News
By published

Tackling such malware requires a holistic approach to security, researchers claim

Malware
(Image credit: solarseven / Shutterstock)

Attackers have used a novel approach by hiding a magecart malware in the Linux calendaring system on an invalid date, February 31.

Dubbed CronRAT by cybersecurity researchers at Sansec, the malware was found lurking on multiple online stores just ahead of the Black Friday online shopping extravaganza. 

“CronRAT’s main feat is hiding in the calendar subsystem of Linux servers (“cron”) on a nonexistant day. This way, it will not attract attention from server administrators. And many security products do not scan the Linux cron system,” share the researchers.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

Sansec claims to have seen several instances where CronRAT had helped the attackers inject magecart payment skimmers in the server-side code on the ecommerce platforms

Novel approach

Sansec explains that the attackers take advantage of the fact that the Linux cron system can schedule tasks on any date as long as it has a valid format. The attackers use this “feature” to insert CronRAT on an invalid date. 

The researchers note that CronRAT hides a “sophisticated Bash program” that employs various techniques including self-destruction, timing modulation and a custom binary protocol to communicate with a foreign control server, in order to go about its malicious business without spooking admins.

When launched, the malware contacts the control server using another “exotic feature” of the Linux kernel that enables TCP communication via a file. It then performs several actions to create a persistent backdoor to the attacked server, which essentially allows CronRAT operators to run any code on the server.

“Digital skimming is moving from the browser to the server and this is yet another example. Most online stores have only implemented browser-based defenses, and criminals capitalize on the unprotected back-end. Security professionals should really consider the full attack surface,” suggests Willem de Groot, director of threat research, Sansec.

Batten down the hatches with the help of these best firewall apps and services, and ensure your computers are protected with these best endpoint protection tools.

Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
Trojan
Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
Close up of the Linux penguin.
A new Linux backdoor is hitting US universities and governments
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Juniper VPN gateways targeted by stealthy "magic" malware
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
Trojan
Hackers hide malware into website images to go unnoticed
A person holding a credit card in one hand while typing on a laptop keyboard with the other.
Google system abused by hackers to hijack ecommerce stores
Latest in Security
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
Latest in News
Google Gemini AI
Gmail is adding a new Gemini AI tool to help smarten up your work emails
Android 16 logo on a phone
Here's how Android 16 will upgrade the screen unlocking process on your Pixel
Visual Intelligence identifying a dog
AirPods with cameras for Visual Intelligence could be one of the best personal safety features Apple has ever planned – here's why
Nvidia AMD
Nvidia rumors suggest it's working on two affordable GPUs to spoil AMD's party
A Minecraft sheep.
Minecraft developer rejects generative AI, 'it's important that it makes us feel happy to create as humans'
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
More about security
IBM office logo

IBM to provide platform for flagship cyber skills programme for girls
Hacker silhouette working on a laptop with North Korean flag on the background

North Korea unveils new military unit targeting AI attacks

Viggle

What is Viggle: everything you need to know about the AI animation tool and meme generator
See more latest
Most Popular
A Minecraft sheep.
Minecraft developer rejects generative AI, 'it's important that it makes us feel happy to create as humans'
Nvidia AMD
Nvidia rumors suggest it's working on two affordable GPUs to spoil AMD's party
Google Gemini AI
Gmail is adding a new Gemini AI tool to help smarten up your work emails
Visual Intelligence identifying a dog
AirPods with cameras for Visual Intelligence could be one of the best personal safety features Apple has ever planned – here's why
Android 16 logo on a phone
Here's how Android 16 will upgrade the screen unlocking process on your Pixel
Apple iPhone 16 Review
New iPhone 17 report lends weight to rumors of major display and camera upgrades, and a pricey Apple foldable
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Sky Glass Gen 2
It's a Glass act: the next generation of Sky Glass TV is now at Currys
Teams
Microsoft Teams is finally adding a tiny but crucial feature I honestly can't believe it never had
Apple Watch Ultra 2 move data
Apple is reportedly planning a huge future Apple Watch upgrade to turn it into an AI device with onboard cameras