CronRAT: A New Linux Malware That's Scheduled to Run on February 31st

  • Thread starter Deleted member 108694
  • Start date

Deleted member 108694

Dubbed CronRAT, the sneaky malware "enables server-side Magecart data theft which bypasses browser-based security solutions," Sansec Threat Research said. The Dutch cybersecurity firm said it found samples of the RAT on several online stores, including an unnamed country's largest outlet.

And all the time we thought that februari never has a 31th day !
So, does this mean the malware will never run, because there is no such day ?

Or, does it mean the execution day is simply not disclosed, and the whole article is simply meant to either keep people on their toes or to scare the crap out of them ?
  • Like
Reactions: TMA
CronRAT’s main feat is hiding in the calendar subsystem of Linux servers (“cron”) on a non-existant day. This way, it will not attract attention from server administrators, after all, most administrators will not look at days that do not exist and many security products do not scan the Linux cron system. Instead, the actual malware code is hidden in the task names and is constructed using several layers of compression and base64 decoding.
You can view the decoded raw payload here -
Last edited by a moderator:
Supreme Cleverness.
It's unfortunate that Linux has become the victim of more cyber attacks lately, with it powering so many devices, and rising in popularity on the desktop. However, let's just see how this plays out. Obviously, cyber security experts are working around the clock to keep everyone's servers safe from hackers, and as @JasKinasis said in another thread, as long as end users keep everything up to date, they're less-likely to be affected by this. Even though any Linux noob could install updates relatively easily, just the fact that Linux has been gaining the attention of hackers is what's surprising now. It still would be a good idea to have numerous FOSS operating systems become stable and available just in case there's a SHTF moment in Linux.
It was only a matter of time as Linux grows in usage especially in the server market. The criminals are going to try to find ways to exploit it. Just be careful as possible and keep and eye on your systems.
Most enterprises will be using RHEL which has selinux another layer of security/protection and if they are smart they don't have that disabled.
At least it not on March 15. Note to self, keep using paper calendars.
Last edited: