Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
It seems that malicious actors are now installing a Linux backdoor on hacked e-commerce infrastructure., that works by having a PHP-coded web skimmer inserted and disguised as a.JPG picture file, in the /app/design/frontend/ folder.
The attackers employ this script to download and insert phony payment forms into the checkout pages that the compromised online business displays to clients.
We found that the attacker started with automated eCommerce attack probes, testing for dozens of weaknesses in common online store platforms. After a day and a half, the attacker found a file upload vulnerability in one of the store’s plugins. S/he then uploaded a webshell and modified the server code to intercept customer data.
Interestingly, the attacker also uploaded a Linux executable called linux_avp. This Golang program starts, removes itself from disk, and disguises as a fake ps -ef process.
The Golang-based malware, which was discovered on the same site by cyber-security firm Sansec, was downloaded and run as a linux avp executable on infiltrated servers.
This effectively downloads the Golang malware executable to a random writable directory, and installs two configuration files. One contains a public key, which is presumably used to ensure that no-one but the malware owner can launch commands.
It removes itself from the disk shortly after being launched and disguises itself as a “ps -ef” process that would be used to retrieve a list of presently active processes.
The researchers discovered that the linux avp backdoor waits for orders from a Beijing server on Alibaba’s network.
As reported by BleepingComputer, the virus can obtain persistence by inserting a new crontab entry that can redownload the malicious payload and reinstall the backdoor from its command-and-control server.
Unfortunately, it seems that the backdoor is still undetected by the anti-malware engines on VirusTotal.
If you liked this article follow us on LinkedIn, Twitter, YouTube, Facebook, and Instagram to keep up to date with everything cybersecurity.
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.
