Linux Malware and Web Skimmer Deployed on E-commerce Servers
The Attackers Are Deploying a Linux Backdoor on Compromised E-commerce Servers.
It seems that malicious actors are now installing a Linux backdoor on hacked e-commerce infrastructure., that works by having a PHP-coded web skimmer inserted and disguised as a.JPG picture file, in the /app/design/frontend/ folder.
The attackers employ this script to download and insert phony payment forms into the checkout pages that the compromised online business displays to clients.
We found that the attacker started with automated eCommerce attack probes, testing for dozens of weaknesses in common online store platforms. After a day and a half, the attacker found a file upload vulnerability in one of the store’s plugins. S/he then uploaded a webshell and modified the server code to intercept customer data.
Interestingly, the attacker also uploaded a Linux executable called linux_avp. This Golang program starts, removes itself from disk, and disguises as a fake ps -ef process.
The Golang-based malware, which was discovered on the same site by cyber-security firm Sansec, was downloaded and run as a linux avp executable on infiltrated servers.
This effectively downloads the Golang malware executable to a random writable directory, and installs two configuration files. One contains a public key, which is presumably used to ensure that no-one but the malware owner can launch commands.
It removes itself from the disk shortly after being launched and disguises itself as a “ps -ef” process that would be used to retrieve a list of presently active processes.
The researchers discovered that the linux avp backdoor waits for orders from a Beijing server on Alibaba’s network.
As reported by BleepingComputer, the virus can obtain persistence by inserting a new crontab entry that can redownload the malicious payload and reinstall the backdoor from its command-and-control server.
Unfortunately, it seems that the backdoor is still undetected by the anti-malware engines on VirusTotal.