- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
Attackers deploy Linux backdoor on e-stores compromised with software skimmer
Researchers discovered threat actors installing a Linux backdoor on compromised e-commerce servers after deploying a credit card skimmer into e-stores.
Security researchers from Sansec Threat Research Team discovered a Linux backdoor during an investigation into the compromised of an e-commerce server with a software skimmer.
The attackers initially conducted a reconnaissance phase by probing the e-store with automated eCommerce attack probes. After a day and a half, the threat actors found and exploited a file upload vulnerability in one of the e-store’s plugins to upload a webshell and inject a software skimmer.
The attackers also uploaded a Linux backdoor (linux_avp) written in Golang that disguises as a fake ps -off process. The analysis of the backdoor revealed that it was able to receive commands from a server hosted on Alibaba (47.113.202.35). The backdoor injects a malicious crontab entry to achieve persistence.
“At the time of writing, no other anti-virus vendor recognize this malware. Curiously, one individual had submitted the same malware to Virustotal on Oct 8th with the comment “test”.” reads the post published by Sansec Threat Research Team.
We found a new Golang malware agent “linux_avp”.
✔️ targets eCommerce sites
✔️ hidden as “ps -ef” process
✔️ uses PKI
✔️ Alibaba hosted control server
✔️ compiled by user “dob”https://t.co/b40yS00EEd— Sansec (@sansecio) November 18, 2021
The backdoor was allegedly developed by user “dob” in a project folder “lin_avp”, the development team codenamed it GREECE.
The PHP-coded web skimmer, camouflaged as a .JPG image file (app/design/frontend/favicon_absolute_top[.]jpg), was dropped in the /app/design/frontend/ folder. The skimmer retrieves a fake payment form from the following address
https://103.233.11.28/jQuery_StXlFiisxCDN.php?hash=06d08a204bddfebe2858408a62c742e944824164
and inject it in the e-store.
At the time of this writing, the backdoor has a zero-detection rate on the anti-malware engines on VirusTotal a month after it was first uploaded on the platform.
“The person uploading the malware could very well be the malware author, who wanted to assert that common anti-virus engines will not detect their creation.” concludes the post. “Sansec has updated detection capabilities for our eComscan security monitor, and the malware was discovered on several US and EU based servers.”
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine