Servers used for e-commerce have fallen prey to the new NginRAT malware. This malware stands out because it hides on Nginx servers, disguising itself as a legitimate process. Its task is to intercept the data of customers’ bank cards.
It is noteworthy that NginRAT was found on servers infected with the CronRAT Trojan, which opens remote access to cybercriminals. So far, malware has been caught in the United States, France and Germany.
NginRAT processes are practically indistinguishable from legitimate ones; therefore, malware detection becomes much more difficult. In fact, unless you specifically look for the Trojan, it cannot be detected with the naked eye.
Like CronRAT, the new malware gives operators access to a compromised system. Certain cybersecurity researchers have noted that one Trojan ensures the other.
Some cybercriminals behind the spread of these two malicious programs use them to modify code on the server-side. Thanks to this technique, attackers have the ability to capture whatever customers enter (via POST requests).
Experts Sansec studied NginRAT after the creation of a custom CronRAT and exchanged information with the server command (C2), located in China. The experts managed to get C2 to send and execute a payload delivering NginRAT.
Sansec also pointed out the way the malware was embedded and the almost complete similarity of its process with the legitimate one. Since NginRAT uses exactly this technique, the malicious code exists exclusively in the server’s memory.
Catch up on more articles here
Follow us on Twitter here