I am also not entirely sure but it gets remotely executed.

From https://sansec.io/research/cronrat

Not all parts are disclosed to testing, this is not possible with the given code.

If you block the remote IP that should already enough to prevent it from starting even if you are infected. I try to contact Bleeping asking them to fill all gaps and release a range of all IPs.