CronRAT is a new Linux malware that is set to release on February 31st

Yes, you did correctly read the headline. Researchers have discovered a novel Linux Remote Access Trojan (RAT) that uses a never-before-seen stealth approach that includes scheduling malicious actions for execution on February 31st, a non-existent calendar day.

CronRAT, according to Sansec Threat Research, “enables server-side Magecart data theft that avoids browser-based security solutions.” According to the Dutch cybersecurity firm, the RAT was spotted on multiple online stores, including the country’s largest.

CronRAT’s significant feature is to hide on a non-existent day in the calendar subsystem of Linux servers (“cron”). Because most administrators will not look at days that do not exist, and many security tools do not check the Linux cron system, it will not attract attention from server admins. Instead, the malicious code is encoded using several compression and base64 decoding levels and is hidden in the job names.

“The CronRAT adds several tasks to crontab with a strange date specification: 52 23 31 2 3,” noted the researchers. “These lines are syntactically correct, but they would cause a run-time error if they were executed. However, because they are slated to air on February 31st, this will never happen.”

The researcher also said that CronRAT’s actual payload is a sophisticated Bash program with self-destruction, timing modulation, and a proprietary binary protocol to connect with a foreign control server.