There’s an interesting find over at the Sansec blog, wrapping time and date manipulation up with avery smart RAT attack

The file, named CronRAT, isn’t an e-commerce attack compromising payment terminals in physical stores. Rather, it looks to swipe payment details by going after vulnerable web stores and dropping payment skimmers on Linux servers. It’s your classic Magecart attack with a stealthy twist.

This method means it bypasses the protection people using the websites arm themselves with, rigging the game from the start. By the time you get onto the website, everything may be fine at your end but the stream further up river has already been polluted. It achieves this thanks to the Linux Cron Job system, which we’ll come back to a little later.

首先,这是Magecart的简要崩溃,客户端和服务器端攻击之间的区别。

什么是magecart?

It’s the collective used for multiple groups who partake in网络skimming。These attacks rely on outdated CMSes, or plugin zero days. They may go aftersmall businesses running a particular e-commerce platform。他们可能会使用这样的服务防弹托管挫败研究人员和执法。web shell是一个popular tactic。有偶数仿冒机关out there, just to make things even more confusing.

Client-side versus server-side attacks

客户端是从网站上购买东西的人闲逛。这些是Magecart May Lurk等操作的地方。它可能是从不受信任的域名加载的虚假javascript,或者也许是其他形式的流氓码。您可以使用像NoScript这样的浏览器插件避免诸如这些威胁。就如何尝试和保护您的浏览器而言,有一个控制这些因素的元素。

Server-side is an attack on the merchants. Your security processes and tools are great, but when someone is directly corrupting the site under the hood, you may be fighting a lost battle. While your typical web shopper’s first run-in with Magecart would be the previously mentioned rogue JavaScript or other code, this attack means browser-based fixes may not help.

With those out of the way, we’ll loop back to Cron and Cron Jobs.

什么是cron?

Cron是一种方式运行Linux系统的方式可以安排任务。这些任务将在未来的指定时间/日期运行,并且被称为Cron作业。事情变得有趣的是,您可以输入您喜欢的任何日期,即使是那些不存在的日期。只要系统接受您的输入,它就会将其置于船上并在调度系统中取消。

Cronrat为Cron表添加了各种任务,具有日期规范,即在触发时会生成运行时错误。恶意软件作者所做的事情是利用“任何日期可以使用”功能,并将其分配到2月31日。当然,这是一个实际存在的日期。结果,永远不会发生错误。

As Sansec puts it:

…the actual malware code is hidden in the task names and is constructed using several layers of compression and base64 decoding.

有效载荷是一个“具有自毁,时序调制和自定义二进制协议的”复杂的Bash程序,以与外部控制服务器通信“。

这绝对是Magecart在黑色星期五的浪潮中的一种方式,也进一步进入圣诞节季节。

数字撇渣问题

这是我们威胁情报高级总监Jerome Segura的一些想法:

We’ve known for a long time that there are two different ecosystems when it comes to website security: server-side and client-side. While most security companies focus on the latter, the former is probably the more interesting and perhaps less documented one as it requires access to backend systems. This is an example of a threat that is well crafted and meant to evade detection by default browser-side, but also in some aspects server-side due to its clever obfuscation techniques.

这意味着来自数字撇渣的角度来看,您始终通过在线购物并在商家保持系统安全的能力中接受风险程度。您应该了解支付表格和其他可能的赠品的任何微妙变化,即网站并未达到标准。如果没有过于技术,那么过时的版权信息或破坏的HTML元素就可能是商店无法保持其网站最新的某些事情。

An attacker will first compromise online shops that are vulnerable to attacks, so it makes sense to stay clear of those that are not following best practices.

安全第一

There’s lots of things you can do out there in the real world to避免ATM撇渣者,以及相关的威胁。您也可以积极主动在基于Web的撇渣器的领域targeting the sites you make payments on。诸如Cronrat等问题可能需要一段时间,而各种行业则需要一段时间。

虽然对网购买的保护级别不同,但它可能取决于付款方式和/或位置。这也不太好意识到,如果付款数据受到损害,则可能的罪犯也抓住了其他数据。虽然这可能不是进入新年的最令人令人放心的信息,但预先是最肯定的前臂。