A new Linux backdoor, named linux_avp, has been discovered abusing weaknesses in e-commerce sites around the world. Experts claim it was receiving commands from a control server located in Beijing.

What has happened?

According to researchers, the attackers are exploiting weaknesses in e-commerce portals to deploy linux_avp, along with a credit card skimmer, to steal payment information from the targeted websites.
  • The attacker used an automated e-commerce attack to discover dozens of weaknesses in online store platforms.
  • After scanning for one and a half days, the attacker discovered a file upload vulnerability in one of the store's plugins.
  • They exploited this vulnerability to gain an initial foothold. Then, they uploaded a malicious web shell and altered the server code to siphon customer data. 
  • Subsequently, they delivered a linux_avp backdoor, which allowed attackers to execute commands remotely sent from a C2 server in Beijing.

After execution, the malware is removed from the disk and hidden as a fake process named "ps -ef," which is a utility for showing processes that are running currently in Unix or Unix-like operating systems.

The skimmer

Additionally, the researchers have discovered a PHP-coded web skimmer being added into the e-commerce platform's code.
  • This skimmer pretends to be a favicon image (favicon_absolute_top[.]jpg).
  • It is used to inject fraudulent payment forms and steal credit card information input by customers in real-time before they are being transmitted to a remote server.
  • The PHP code was hosted on a server based in Hong Kong and was previously used as an endpoint for skimming exfiltration in July and August.

Conclusion

The recent attacks using linux_avp show that cybercriminals are actively finding and exploiting weaknesses in online websites, especially e-commerce platforms. Businesses doing online commerce should understand the risks associated with unpatched plugins. To stay protected, experts recommend enterprises focus on detecting and blocking skimming attacks.

Cyware Publisher

Publisher

Cyware