[HN Gopher] CronRAT malware hides behind February 31st
___________________________________________________________________
CronRAT malware hides behind February 31st
Author : manjana
Score : 58 points
Date : 2021-11-28 12:46 UTC (10 hours ago)
(HTM) web link (sansec.io)
(TXT) w3m dump (sansec.io)
| iRobbery wrote:
| In which year does February have 31 days?
| kingcharles wrote:
| I had to check in case it had actually ever occurred, since I
| had recently read about 30 February existing for reals:
| https://www.timeanddate.com/date/february-30.html
|
| It looks like there has never been a real 31 February.
| marcodiego wrote:
| > In the run-up to Black Friday, Sansec discovered a
| sophisticated threat that is packed with never-seen stealth
| techniques. This malware, dubbed "CronRAT", hides in the Linux
| calendar system on February 31st. It is not recognized by other
| security vendors and is likely to stay undetected on critical
| infrastructure for the coming months.
|
| For years I've heard people saying: "People is not as used as
| windows, that's why nobody is interested in writing virus for
| linux." Turns out that considering the number of "embedded" linux
| these days, linux is probably much more popular than any other
| OS. Consider android devices, smart tv, routers... all these are
| devices that are directly in touch with the end users. The fact
| that these have been nowhere near as annoying as windows devices
| is a testament to how seriously developers and vendors have been
| taking security and also a bit of luck and the heritage of some
| unix ideas.
|
| Of course, most high profile linux use are on servers. So it is
| expected that these systems are preferred targets. But
| considering all that, if you look closely at how some linux
| users, distributors and vendors behave, it seems like they are in
| another world. Security is mostly ignored as if linux was somehow
| magically free from vulnerabilities simply because you're using a
| package manager and mostly no extra security action is taken.
|
| Maybe linux users and sysadmins became lazy or lax for the long
| years of a perceived security calmness. They will probably need a
| few incidents before learning some lessons from the windows
| crowd.
| smoldesu wrote:
| You seem to misunderstand the threat model of the average Linux
| device. Linux only becomes as vulnerable as Windows when you
| _use_ it like Windows, and for the vast majority of use cases
| that is certainly not how it 's treated. The average Linux
| device is either an Android phone with a completely different,
| sandbox and permission-based threat model, or a purpose-built
| machine that runs a handful of off-the-shelf software that can
| be assumed as reasonably secure. As such, the majority of
| exploits on Linux simply stem from misconfiguration. Luckily
| for attackers, the learning curve of a modern Unix machine is
| fairly steep, so they can count on a reasonable degree of
| oblivious behavior, such as not locking down your crontab to
| specific users/cgroups.
|
| Windows is insecure because it's "shopping spree" method of
| software management is inherently unsafe. At least desktop
| Linux enforces integrity protection when you're downloading
| software from your package manager, and gives you sandboxing
| options (albeit not very good ones) to further mitigate
| security concerns. Failing that, it gives people the option of
| using ludicrously secure systems like Tails, Whonix and Qubes,
| which would really be impossible with how Windows is set up.
| marcosdumay wrote:
| > They will probably need a few incidents before learning some
| lessons from the windows crowd.
|
| Hum, thank-you but no. The lessons the Windows crowd learned
| are mostly bullshit, officialized due to people's helplessness
| and total lack of any reasonable alternative.
|
| Linux people are very serious about things like supply-chain
| verification, auditable software, and machine activity
| monitoring. All actions with viable engineering principles and
| real impact, differently from the "you need to install an
| antivirus" insanity.
| zinekeller wrote:
| > Linux people are very serious about things like supply-
| chain verification, auditable software, and machine activity
| monitoring. All actions with viable engineering principles
| and real impact, differently from the "you need to install an
| antivirus" insanity.
|
| Some sysadmins, sure, but definitely not all. Seriously,
| there are a lot of CentOS/RHEL 6 and below or Debian 8 and
| below running PHP 5.x that are still live on the internet,
| with vulnerabilities and all _that have been fixed in that
| specific version_. Saying that _all_ Linux-based people care
| about security is ignorant of one-click offerings from
| various hosting sites, and those who don 't care if they're
| running Linux or Windows in the name of hosting a site.
| michaelbuckbee wrote:
| I think the parent commenter was making an interesting point
| which is that linux users are bifurcated:
|
| 1. The group you described (conscientious sysadmins)
|
| and
|
| 2. IOT vendors throwing Linux on devices without thought to
| updates and security.
| yborg wrote:
| Dunno how stealthy this is given that masses of base-64 garbage
| you didn't put into a crontab seems like a pretty big red flag.
| tata71 wrote:
| When's the last time you checked yours, before this story?
| tyingq wrote:
| I think the idea is that various Linux endpoint protection
| products don't look there.
| cyberCleve wrote:
| That seems like an obvious oversight. This is a well known
| and widely used malware technique.
| https://attack.mitre.org/techniques/T1053/003/
| vmoore wrote:
| > Most online stores have only implemented browser-based
| defenses, and criminals capitalize on the unprotected back-end.
| Security professionals should really consider the full attack
| surface
|
| What's the entry point for such a RAT? Does it scan for vulns in
| the server and plant itself there, or what? Article is lacking
| explanation of how a Linux e-commerce backend actually gets
| comp'd.
| tata71 wrote:
| One of thousands of unpatched (either at the sysops level, or
| the distro level) kernel RCE vulns.
| vmoore wrote:
| I thought that. "criminals capitalize on the unprotected
| back-end" is a bit vague though. An expose of the actual
| vulnerability would make this write-up even better, but I
| imagine the company doesn't want to discuss that for obvious
| reasons.
| tata71 wrote:
| Throw a dart:
|
| https://www.cvedetails.com/vulnerability-
| list.php?vendor_id=...
| tuankiet65 wrote:
| Running outdated web applications with vulnerabilities I
| suppose.
| sys_64738 wrote:
| I don't get it. If they are hidden within valid but never
| occurring crontab dates then they don't get executed. What am I
| missing?
| rzzzt wrote:
| anacron can run entries that are past their due date.
|
| ...after reading: but also because one entry has a valid "every
| 30 minutes" specification :) and the rest are only used for
| storage.
| 4llan wrote:
| > The CronRAT adds a number of tasks to crontab with a curious
| date specification: 52 23 31 2 3. These lines are syntactically
| valid, but would generate a run time error when executed.
| However, this will never happen as they are scheduled to run on
| February 31st. Instead, the actual malware code is hidden in
| the task names and is constructed using several layers of
| compression and base64 decoding.
|
| The actual malware uses the task name from these "never
| occurring crontab". The invalid date is just a kind of
| signature.
___________________________________________________________________
(page generated 2021-11-28 23:01 UTC)