January 23, 2022

TheCyberThrone

Thinking Security ! Always

NginRAT successor of CronRAT

Researchers discovered a new Linux remote access trojan (RAT), tracked as CronRAT, that hides in the Linux task scheduling system (cron).

While investigating CronRAT infections in North America and Europe the researchers spotted a new malware, dubbed NginRAT, that hides on Nginx servers bypassing security solutions. Like CronRAT, also NginRAT works as a “server-side Magecart,” it injects itself into an Nginx process.

Advertisements

NginRAT essentially hijacks a host Nginx application to masquerade its presence. To do that, NginRAT modifies core functionality of the Linux host system. When the legitimate Nginx web server uses such functionality (eg dlopen), NginRAT injects itself. The result is a remote access trojan that is embedded in the Nginx process.On a typical eCommerce web server, there are many Nginx processes. And the rogue Nginx looks just like the others.

The researchers discovered that NginRAT is delivered using CronRAT and both allow attackers to maintain remote access to the infected system.

In the infection process, CronRAT contact the C2C server at 47.115.46.167:443 using custom commands. One of the commands is dwn that downloads a Linux system library to /dev/shm/php-shared. Then, CronRAT launch

LD_L1BRARY_PATH="[580 bytes]" \ LD_PRELOAD=/dev/shm/php-shared \ /usr/sbin/nginx --help --help --help --help --help --help --help --help \ --help --help --help --help --help --help --help --help --help --help --help \ --help --help --help --help --help --help --help --help --help --help --help \ --help --help --help --help --help --help --help --help --help --help --help \ --help --help --help --help --help --help --help --help --help 1>&2 &

to inject the NginRAT into the host Nginx application.

nginrat

Once Nginx calls dlopen, NginRAT takes control. It removes the php-shared file, changes its process name to nginx: worker process, gathers information about the system and opens up a connection with the c&c server at 47.115.46.167. It then awaits further commands, possibly sleeping for weeks or months

Advertisements

Experts explained that NginRAT hides into a legitimate Nginx host process, a /proc/PID/exe will point to Nginx. Another trick that makes the analysis of the malware challenging is that the library code is only written in memory and cannot be examined after its launch. The use of LD_L1BRARY_PATH (with typo) is an indicator of compromise.

In order to find malicious processes, admins can run this command:$ sudo grep -al LD_L1BRARY_PATH /proc/*/environ | grep -v self/ /proc/17199/environ /proc/25074/environ

Then it is possible to kill them with 

kill -9 <PID>.

%d bloggers like this: