Remote access malware is being used to attack eCommerce servers, and it hides on Nginx servers in such a way that security solutions can't detect it. NginRAT is a combination of the application it targets and the remote access capabilities it delivers, and it is being used in server-side attacks to steal payment card data from online stores.
NginRAT was discovered on eCommerce servers in North America and Europe infected with CronRAT, a remote access trojan (RAT) that hides payloads in activities scheduled to run on an invalid calendar day. Even if the day does not exist in the calendar, the Linux cron system accepts date requirements as long as they have a proper format, which implies the scheduled task will not run.
CronRAT relies on this to maintain its anonymity. According to research released by Dutch cyber-security firm Sansec, it hides a "sophisticated Bash programme" in the names of scheduled tasks. Multiple levels of compression and Base64 encoding are used to conceal the payloads. The code has been cleaned up and now contains self-destruction, time modulation, and a custom protocol for communicating with a remote server.
NginRAT has infected servers in the United States, Germany, and France, injecting into Nginx processes that are undetectable, allowing it to remain unnoticed. The new malware, according to researchers at Sansec, is delivered CronRAT, despite the fact that both perform the same function: granting remote access to the attacked system.
While the two RATs use quite different approaches to preserve their secrecy, Willem de Groot, director of threat research at Sansec, told BleepingComputer that they appear to have the same role, operating as a backup for preserving remote access. After developing a custom CronRAT and analyzing the interactions with the command and control server (C2) in China, Sansec was able to investigate NginRAT. As part of the typical malicious interaction, the researchers duped the C2 into transmitting and executing a rogue shared library payload, masking the NginRAT "more advanced piece of malware."
“NginRAT essentially hijacks a host Nginx application to stay undetected. To do that, NginRAT modifies core functionality of the Linux host system. When the legitimate Nginx web server uses such functionality (eg dlopen), NginRAT intercepts it to inject itself", reads the analysis published by the experts. The remote access malware is embedded in the Nginx process in such a way that it is practically impossible to distinguish from a valid process at the end of the process.