skip to Main Content

Cybercime, NginRAT targets the E-Commerce Nginx web server

Sansec: NginRAT targets the E-Commerce Nginx web server: The new parasitic malware, spread by CronRAT, hijacks a host Nginx application to masquerade its presence

NginRAT is a new parasitic malware targets the popular E-Commerce Nginx web server. It has been discovered by Sansec cybersecurity experts who were monitoring CronRAT and launched a custom RAT to intercept the commands from the Chinese server. The new malicious code, spread by CronRAT, essentially hijacks a host Nginx application to masquerade its presence. To do that it modifies core functionality of the Linux host system. When the legitimate Nginx web server uses such functionality (eg dlopen), NginRAT injects itself. The result is a remote access trojan that is embedded in the Nginx process. On a typical eCommerce web server, there are many processes, and the rogue Nginx looks just like the others. So far, researchers have identified NginRAT instances on eCommerce servers in the US, Germany and France, but they suspect that more servers have been affected.

Back To Top