Security researchers recently discovered a new, clever remote access trojan (RAT) for Linux that almost has an almost invisible profile by hiding in tasks that are supposed to be executed on February 31 – a day that obviously does not exist.
Known as CronRAT, the malware targets web shops and allows attackers to commit credit card data theft by using online scrapers on Linux servers.
CronRAT has problems with the Linux task scheduling system cron, which allows scheduling tasks to be performed on non-existent calendar days such as February 31.
The Linux cron system accepts dates as long as the format is valid, even if the date does not exist – which means that the task is not executed.
The Dutch cyber security firm Sansec reported that the malicious software hides a “sophisticated Bash program” in the name of planned tasks.
“The CronRAT adds tasks to crontab with a peculiar date specification: 52 23 31 2 3. These lines are syntactically valid, but would result in a runtime error when executed. However, this will never take place as they are scheduled to run on February 31st,” the Sansec researchers explain.
With the VirusTotal scan service, 58 antivirus engines did not detect it in the system.