Security News > 2021 > December > New malware hides as legit nginx process on e-commerce servers
eCommerce servers are being targeted with remote access malware that hides on Nginx servers in a way that makes it virtually invisible to security solutions.
NginRAT was found on eCommerce servers in North America and Europe that had been infected with CronRAT, a remote access trojan that hides payloads in tasks scheduled to execute on an invalid day of the calendar.
NginRAT has infected servers in the U.S., Germany, and France where it injects into Nginx processes that are indistinguishable from legitimate ones, allowing it to remain undetected.
"NginRAT essentially hijacks a host Nginx application to stay undetected. To do that, NginRAT modifies core functionality of the Linux host system. When the legitimate Nginx web server uses such functionality, NginRAT intercepts it to inject itself" - Sansec.
At the end of the process, the Nginx process embeds the remote access malware in a way that makes it virtually impossible to tell apart from a legitimate process.
Because NginRAT hides as a normal Nginx process and the code exists only in the server's memory, detecting it may be a challenge.