a ‘malware’ for the Linux operating system called CronRAT has developed a new way of hiding to avoid detection using the system task scheduler and a date that doesn’t really exist: February 31.
This has been discovered by the cybersecurity analyst Sansec, who has warned about this ‘malware’, whose name comes from RAT, short for remote access trojan, and ‘Cron’, as the system task scheduler is commonly referred to in Linux.
The virus uses the Linux calendar to hide itself with a evasion tactic that had not been seen so far in the cybersecurity industry, creating a false date, February 31.
Coinciding with the Black Friday sales period, Sansec has discovered that CronRAT is present in multiple online stores, and that its use facilitates persistent control over the servers in ‘eCommerce’.
The main feature of this Trojan is its ability to hide itself in the Linux task scheduler and create the nonexistent date of February 31st. In this way, most security software developers do not detect your presence, since they do not analyze the Linux programmer either.
Among the CronRAT functions that affect ecommerce servers are fileless execution, time modulation, anti-tampering checksums, or control through an obfuscated binary protocol.
Furthermore, the ‘malware’ launches RATs in tandem on a separate Linux subsystem, and is also capable of using a control server disguised as a ‘Dropbear SSH’ service or using the payload hidden in legitimate CRON scheduled task names.