CronRAT

Industry: eCommerce / All | Level: Tactical | Source: Sansec

Remote access trojan, CronRAT hides in the calendar system of a Linux server by scheduling itself on a non-existent day February 31st to evade detection. Security vendor, Sansec, identified the malware on multiple online stores with observed capabilities including fileless execution, timing modulation, anti-tampering checksums, controlled via binary, obfuscated protocol, launches tandem RAT in a separate Linux subsystem, control server disguised as "Dropbear SSH" service and payload hidden in legitimate CRON scheduled task names.

• Anvilogic Use Case: Crontab Job Scheduling (Unix)