New Linux malware hides in cron jobs with invalid dates

New CronRAT Linux malware hides payloads in cron jobs for inexistent day

Security researchers have discovered a new remote access trojan (RAT) for Linux that maintains an almost invisible profile by hiding in tasks scheduled for execution on a non-existent day, February 31st.

Called CronRAT, the malware is currently targeting online stores and enables attackers to steal credit card data by implementing online payment skimmers on Linux servers.

Characterized by both ingenuity and sophistication in terms of malware for online stores, CronRAT is undetected by many antivirus engines.

Smart hiding place for payload

CronRAT abuses the Linux task scheduling system, cron, which allows scheduling tasks to run on non-existent calendar days, such as February 31st.

The Linux cron system accepts date specifications as long as they have a valid format, even if the day is not in the calendar – which means that the scheduled task is not performed.

This is what CronRAT relies on to achieve its stealth. A report today from Dutch cybersecurity firm Sansec explains that it hides a “sophisticated Bash program” in the names of the planned missions.

“CronRAT adds a series of tasks to crontab with a strange date specification: 52 23 31 2 3. These lines are syntactically valid but would generate a runtime error when executed. However, this will never happen as they are scheduled to run on 31 February, ”explains Sansec researchers.

CronRAT payload hidden in cron task for non-existent day

The payloads are blurred via multiple layers of compression and Base64 encoding. Cleaned up, the code includes commands for self-destruction, timing modulation, and a custom protocol that allows communication with a remote server.

The researchers note that the malware contacts a command and control server (C2) ( using an “exotic feature of the Linux kernel that enables TCP communication via a file.”

Furthermore, the connection is made over TCP via port 443 using a fake banner for the Dropbear SSH service, which also helps the malware stay under the radar.

After contacting the C2 server, the disguise drops, sends and receives several commands and gets a malicious dynamic library. At the end of these exchanges, the attackers behind CronRAT can run any command on the compromised system.

CronRAT has been found in several stores around the world, where it was used to inject scripts on the server that steal payment card data – the so-called Magecart attacks.

Sansec describes the new malware as “a serious threat to Linux eCommerce servers”, due to its capabilities:

  • Flawless design
  • Timing modulation
  • Anti-manipulation checksums
  • Controlled via binary, blurred protocol
  • Launches tandem RAT in separate Linux subsystem
  • Control server disguised as “Dropbear SSH” service
  • Payload hidden in legitimate CRON-scheduled task names

All of these features make CronRAT virtually undetectable. On the VirusTotal scanning service, 12 antivirus engines were unable to process the malicious file and 58 of them did not detect it as a threat.

CronRAT undetected on VirusTotal

Sansec notes that CronRAT’s new execution technology also circumvented its detection algorithm, eComscan, and researchers had to rewrite it to capture the new threat.


Please enter your comment!
Please enter your name here