Source
https://sansec.io/research/cronrat
Manipulated code sample, they say they cleaned it up…
https://gist.github.com/gwillem/fbe3e6b98e2e10d7f1f271ca4b6e813f#file-cronrat-annotated-sh
You must log in or register to comment.
They say that since the taskcis scheduled for February 31st it never gets executed. But how does it get executed?
I am also not entirely sure but it gets remotely executed.
From https://sansec.io/research/cronrat
Not all parts are disclosed to testing, this is not possible with the given code.
If you block the remote IP that should already enough to prevent it from starting even if you are infected. I try to contact Bleeping asking them to fill all gaps and release a range of all IPs.