A sophisticated and previously unseen Remote Access Trojan (RAT) dubbed cronRAT is hiding in the calendar subsystem of Linux servers (“cron”) on a non-existent day – and using a range of techniques to gain control over ecommerce servers, security researchers at vulnerability detection specialist Sansec warned this week.
Dubbing it cronRAT, Sansec’s team said that they had observed several cases where the presence of CronRAT lead to the injection of payment skimmers (aka Magecart) in server-side code. (This is the kind of attack that cost British Airways so dearly in 2018, after 429,612 customers had their personal data stolen.)
The finding comes as the UK's National Cyber Security Centre (NCSC) said it had notified over 4,000 small business sites whose customers' payment details were being stolen by card skimmers, with attacks likely to ramp up on either side of Black Friday. The attacks identified by the NCSC were were typically exploiting a known vulnerability in Adobe's Magento ecommerce software, it added.
Warning that they had identified the malware in one of the US’s largest retailers, Sansec director of threat research Willem de Groot noted: “Digital skimming is moving from the browser to the server and this is yet another example. Most online stores have only implemented browser-based defenses, and criminals capitalize on the unprotected back-end. Security professionals should consider the full attack surface…”
The CronRAT adds a number of tasks to crontab with a curious date specification: 52 23 31 2 3, Sansec noted, spelling out some of its sophisticated obfuscation and other techniques in a technical blog post. (Including implementing a custom binary protocol with random checksums, to avoid detection by firewalls and packet inspectors.)
“These lines are syntactically valid, but would generate a run time error when executed. However, this will never happen as they are scheduled to run on February 31st. Instead, the actual malware code is hidden in the task names and is constructed using several layers of compression and base64 decoding…"
(See the technical write-up here.)
While the attack suggests cybercriminals are taking significantly more sophisticated steps towards often lucrative card-skimming that the off-the-shelf approaches often previously seen, unpatched e-commerce software also remains low-hanging fruit for attackers, particularly at SMEs.
Adobe patched 16 major vulnerabilities in the software in August, including, as security firm Sucuri notes
- Business Logic Error, which could allow for security feature bypass.
- Stored Cross-site Scripting, which could allow for arbitrary code execution.
- Improper Access Control, which could allow for arbitrary code execution.
- Improper Authorization, which could allow for security feature bypass.
- Improper Input Validation, which could allow for application denial of service, privilege escalation, security feature bypass and arbitrary code execution.
- Path Traversal, which could allow for arbitrary code execution.
- OS Command Injection, which could allow for arbitrary code execution.
- Incorrect Authorization, which could allow for arbitrary file system read.
- Server-Side Request Forgery, which could allow for arbitrary code execution.
- XML Injection, which could allow for arbitrary code execution.
Many of these were trivial to exploit.
When it comes to cronRAT, the actual payload is a "sophisticated Bash program that features self-destruction, timing modulation and a custom binary protocol to communicate with a foreign control server" Sansec said on November 24. "Upon launch, it contacts the control server using a exotic feature of the Linux kernel that enables TCP communication via a file. In order to study the control server’s behavior, we wrote a specially crafted RAT client to intercept commands.” And this lead to the discovery of… yet another RAT, more details to follow.