Experts have identified a new Linux RAT (Remote Access Trojan) that was dubbed CronRAT. It stands out through its hiding place, as it can be found in different tasks which have a schedule-timeline for February 31st, a day, that of course, does not exist.
CronRAT keeps a low profile for the moment, being almost invisible and its targets seem to be web stores. Hackers engage in deployment on Linux servers of online payment skimmers with the final goal of performing credit card info theft.
CronRAT: How It Works
Sansec researchers were the ones who discovered this threat and published a report on the topic on November 24. Here are some characteristics of CronRAT following the report’s info:
It can bypass many antiviruses, as it gets undetected; It is designed to target and compromise cron, which is the task scheduling system of Linux; This Linux cron job has the role to let scheduling tasks run on days that do not exist in the calendar; Data specifications are accepted in this system if they own a format that is valid, so accepted even if scheduled on a non-existent calendar day, this also indicates that the execution of the task won’t happen;