NginRAT – A stealth malware targets e-store hiding on Nginx servers

Threat actors are targeting e-stores with remote access malware, dubbed NginRAT, that hides on Nginx servers bypassing security solutions.

Researchers from security firm Sansec recently discovered a new Linux remote access trojan (RAT), tracked as CronRAT, that hides in the Linux task scheduling system (cron) on February 31st.

CronRAT is employed in Magecart attacks against online stores web stores and enables attackers to steal credit card data by deploying online payment skimmers on Linux servers.

While investigating CronRAT infections in North America and Europe the researchers spotted a new malware, dubbed NginRAT, that hides on Nginx servers bypassing security solutions. Like CronRAT, also NginRAT works as a “server-side Magecart,” it injects itself into an Nginx process.

Experts pointed out that a rogue Nginx process could not be distinguished from the original.

“NginRAT essentially hijacks a host Nginx application to masquerade its presence. To do that, NginRAT modifies core functionality of the Linux host system. When the legitimate Nginx web server uses such functionality (eg dlopen), NginRAT injects itself. The result is a remote access trojan that is embedded in the Nginx process.” reads the analysis published by the experts. “On a typical eCommerce web server, there are many Nginx processes. And the rogue Nginx looks just like the others.”

The researchers discovered that NginRAT is delivered using CronRAT and both allow attackers to maintain remote access to the infected system.

In the infection process, CronRAT contact the command and control server at 47.115.46.167:443 using custom commands. One of the commands is dwn that downloads a Linux system library to /dev/shm/php-shared. Then, CronRAT launches

env LD_L1BRARY_PATH="[580 bytes]" \
    LD_PRELOAD=/dev/shm/php-shared \
    /usr/sbin/nginx --help --help --help --help --help --help --help --help \
    --help --help --help --help --help --help --help --help --help --help --help \
    --help --help --help --help --help --help --help --help --help --help --help \
    --help --help --help --help --help --help --help --help --help --help --help \
    --help --help --help --help --help --help --help --help --help 1>&2 &

to inject the NginRAT into the host Nginx application.

“Once Nginx calls dlopen, NginRAT takes control. It removes the php-shared file, changes its process name to nginx: worker process, gathers information about the system and opens up a connection with the c&c server at 47.115.46.167. It then awaits further commands, possibly sleeping for weeks or months.” continues the post published by the researchers.

Experts explained that NginRAT hides into a legitimate Nginx host process, a /proc/PID/exe will point to Nginx. Another trick that makes the analysis of the malware challenging is that the library code is only written in memory and cannot be examined after its launch. The use of LD_L1BRARY_PATH (with typo) is an indicator of compromise.

In order to find malicious processes, admins can run this command:

$ sudo grep -al LD_L1BRARY_PATH /proc/*/environ | grep -v self/
/proc/17199/environ
/proc/25074/environ

Then it is possible to kill them with kill -9 <PID>.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]