A new malware, named NginRAT, has been discovered targeting the popular Nginx web server. NginRAT is used to steal information from e-commerce servers via server-side Magecart attacks.
What has happened?
While investigating CronRAT infections, researchers spotted NginRAT that hides inside the Nginx servers. Similar to CronRAT, NginRAT works as a server-side Magecart and injects itself into an Nginx process.
The malware makes changes to the core functionality of the Linux host system.
If a genuine Nginx web server uses that core functionality, the malware injects itself and gets attached inside the Nginx process.
Usually, there are many Nginx processes on an e-commerce web server and it is difficult to differentiate between a genuine Nginx and an injected one.
NginRAT is delivered using CronRAT, and both allow attackers to remotely access the infected system.
The malware commands
CronRAT contacts the C2 server using custom commands.
It uses the command dwn that downloads a Linux system library to /dev/shm/php-shared. Then, CronRAT injects NginRAT into the Nginx app.
NginRAT takes control after Nginx calls the dlopen command. Simultaneously, it removes the php-shared file, modifies the process name to nginx: worker process, and collects system info, and establishes a connection with the C2 server.
It then awaits further commands and remains in a sleeping state possibly for some weeks or months.
For anti-analysis tactics, the library code is only written in memory and cannot be examined after being launched. However, the LD_L1BRARY_PATH (with the typo) could be used as an IOC to reveal its presence.
Apparently, cybercriminals continue to make strides in the background by upgrading their skills, making their tactics harder to detect.
Conclusion
NginRAT is a new yet effective malware, successfully staying hidden inside popular Nginx web server applications. Researchers suggest security teams to take proactive measures against new emerging techniques and keep looking for new methods to safeguard their network from adversaries.