NginRAT – A stealth malware targets e-store hiding on Nginx servers

Threat actors are targeting e-stores with remote access malware, dubbed NginRAT, that hides on Nginx servers bypassing security solutions.

Researchers from security firm Sansec recently discovered a new Linux remote access trojan (RAT), tracked as CronRAT, that hides in the Linux task scheduling system (cron) on February 31st.

CronRAT is employed in Magecart attacks against online stores web stores and enables attackers to steal credit card data by deploying online payment skimmers on Linux servers.

While investigating CronRAT infections in North America and Europe the researchers spotted a new malware, dubbed NginRAT, that hides on Nginx servers bypassing security solutions. Like CronRAT, also NginRAT works as a “server-side Magecart,” it injects itself into an Nginx process.

Experts pointed out that a rogue Nginx process could not be distinguished from the original.

“NginRAT essentially hijacks a host Nginx application to masquerade its presence. To do that, NginRAT modifies core functionality of the Linux host system. When the legitimate Nginx web server uses such functionality (eg dlopen), NginRAT injects itself. The result is a remote access trojan that is embedded in the Nginx process.” reads the analysis published by the experts. “On a typical eCommerce web server, there are many Nginx processes. And the rogue Nginx looks just like the others.”

The researchers discovered that NginRAT is delivered using CronRAT and both allow attackers to maintain remote access to the infected system.

In the infection process, CronRAT contact the command and control server at using custom commands. One of the commands is dwn that downloads a Linux system library to /dev/shm/php-shared. Then, CronRAT launches

env LD_L1BRARY_PATH="[580 bytes]" \
    LD_PRELOAD=/dev/shm/php-shared \
    /usr/sbin/nginx --help --help --help --help --help --help --help --help \
    --help --help --help --help --help --help --help --help --help --help --help \
    --help --help --help --help --help --help --help --help --help --help --help \
    --help --help --help --help --help --help --help --help --help --help --help \
    --help --help --help --help --help --help --help --help --help 1>&2 &

to inject the NginRAT into the host Nginx application.

“Once Nginx calls dlopen, NginRAT takes control. It removes the php-shared file, changes its process name to nginx: worker process, gathers information about the system and opens up a connection with the c&c server at It then awaits further commands, possibly sleeping for weeks or months.” continues the post published by the researchers.

Experts explained that NginRAT hides into a legitimate Nginx host process, a /proc/PID/exe will point to Nginx. Another trick that makes the analysis of the malware challenging is that the library code is only written in memory and cannot be examined after its launch. The use of LD_L1BRARY_PATH (with typo) is an indicator of compromise.

In order to find malicious processes, admins can run this command:

$ sudo grep -al LD_L1BRARY_PATH /proc/*/environ | grep -v self/

Then it is possible to kill them with kill -9 <PID>.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.