It seems that malicious actors are now installing a Linux backdoor on hacked e-commerce infrastructure., that works by having a PHP-coded web skimmer inserted and disguised as a.JPG picture file, in the /app/design/frontend/ folder.

The attackers employ this script to download and insert phony payment forms into the checkout pages that the compromised online business displays to clients.

We found that the attacker started with automated eCommerce attack probes, testing for dozens of weaknesses in common online store platforms. After a day and a half, the attacker found a file upload vulnerability in one of the store’s plugins. S/he then uploaded a webshell and modified the server code to intercept customer data.

Interestingly, the attacker also uploaded a Linux executable called linux_avp. This Golang program starts, removes itself from disk, and disguises as a fake ps -ef process.


The Golang-based malware, which was discovered on the same site by cyber-security firm Sansec, was downloaded and run as a linux avp executable on infiltrated servers.

This effectively downloads the Golang malware executable to a random writable directory, and installs two configuration files. One contains a public key, which is presumably used to ensure that no-one but the malware owner can launch commands.


It removes itself from the disk shortly after being launched and disguises itself as a “ps -ef” process that would be used to retrieve a list of presently active processes.

The researchers discovered that the linux avp backdoor waits for orders from a Beijing server on Alibaba’s network.

As reported by BleepingComputer, the virus can obtain persistence by inserting a new crontab entry that can redownload the malicious payload and reinstall the backdoor from its command-and-control server.

Unfortunately, it seems that the backdoor is still undetected by the anti-malware engines on VirusTotal.

If you liked this article follow us on LinkedInTwitterYouTubeFacebook, and Instagram to keep up to date with everything cybersecurity.

Top Cybersecurity Trends – Current Landscape and 2023 Predictions

A Version of Linux Cobalt Strike Beacon Is Being Used in Ongoing Attacks


Hi, we have an magento installation affected by linux_avp.

What do we have to do to remove this malware.
Are you offering a remove service an how much will this be!

We have detected in app/design/frontend/ the file: favicon_absolute_top.jpg
This is not an picture we have opened as text file and the php code was visible.

Leave a Reply

Your email address will not be published. Required fields are marked *