A new Linux backdoor, named linux_avp, has been discovered abusing weaknesses in e-commerce sites around the world. Experts claim it was receiving commands from a control server located in Beijing.
What has happened?
According to researchers, the attackers are exploiting weaknesses in e-commerce portals to deploy linux_avp, along with a credit card skimmer, to steal payment information from the targeted websites.
The attacker used an automated e-commerce attack to discover dozens of weaknesses in online store platforms.
After scanning for one and a half days, the attacker discovered a file upload vulnerability in one of the store's plugins.
They exploited this vulnerability to gain an initial foothold. Then, they uploaded a malicious web shell and altered the server code to siphon customer data.
Subsequently, they delivered a linux_avp backdoor, which allowed attackers to execute commands remotely sent from a C2 server in Beijing.
After execution, the malware is removed from the disk and hidden as a fake process named "ps -ef," which is a utility for showing processes that are running currently in Unix or Unix-like operating systems.
Additionally, the researchers have discovered a PHP-coded web skimmer being added into the e-commerce platform's code.
This skimmer pretends to be a favicon image (favicon_absolute_top[.]jpg).
It is used to inject fraudulent payment forms and steal credit card information input by customers in real-time before they are being transmitted to a remote server.
The PHP code was hosted on a server based in Hong Kong and was previously used as an endpoint for skimming exfiltration in July and August.
The recent attacks using linux_avp show that cybercriminals are actively finding and exploiting weaknesses in online websites, especially e-commerce platforms. Businesses doing online commerce should understand the risks associated with unpatched plugins. To stay protected, experts recommend enterprises focus on detecting and blocking skimming attacks.