Security researchers have discovered new remote access trojan (RAT) malware that has created an unusual new way of hiding on servers.
As first reported on BleepingComputer, this new malware, dubbed CronRAT, hides in scheduled tasks on Linux servers by being set for execution on February 31, a date that doesn’t exist.
Discovered and named by e-commerce security specialist Sansec, CronRAT is part of a growing trend in Linux server-focused Magecart malware. CronRAT is used to enable server-side Magecart data theft.
SEE: A winning strategy for cybersecurity (ZDNet special report)
The security company describes the malware as “sophisticated” and it remains undetected by most antivirus vendors. Sansec had to rewrite its detection engine to spot the malware after receiving samples of it to discover how it works.
The name CronRAT is a reference to the Linux cron tool that allows admins to create scheduled jobs on a Linux system to occur on a specific time of day or a regular day of the week.
“CronRAT’s main feat is hiding in the calendar subsystem of Linux servers (“cron”) on a nonexistant day. This way, it will not attract attention from server administrators. And many security products do not