A new Linux backdoor, named linux_avp, has been discovered abusing weaknesses in e-commerce sites around the world. Experts claim it was receiving commands from a control server located in Beijing.

What has happened?

According to researchers, the attackers are exploiting weaknesses in e-commerce portals to deploy linux_avp, along with a credit card skimmer, to steal payment information from the targeted websites.
  • The attacker used an automated e-commerce attack to discover dozens of weaknesses in online store platforms.
  • After scanning for one and a half days, the attacker discovered a file upload vulnerability in one of the store's plugins.
  • They exploited this vulnerability to gain an initial foothold. Then, they uploaded a malicious web shell and altered the server code to siphon customer data. 
  • Subsequently, they delivered a linux_avp backdoor, which allowed attackers to execute commands remotely sent from a C2 server in Beijing.

After execution, the malware is removed from the disk and hidden as a fake process named "ps -ef," which is a utility for showing processes that are running currently in Unix or Unix-like operating systems.

The skimmer

Additionally, the researchers have discovered a PHP-coded web skimmer being added into the e-commerce platform's code.
  • This skimmer pretends to be a favicon image (favicon_absolute_top[.]jpg).
  • It is used to inject fraudulent payment forms and steal credit card information input by customers in real-time before they are being transmitted to a remote server.
  • The PHP code was hosted on a server based in Hong Kong and was previously used as an endpoint for skimming exfiltration in July and August.


The recent attacks using linux_avp show that cybercriminals are actively finding and exploiting weaknesses in online websites, especially e-commerce platforms. Businesses doing online commerce should understand the risks associated with unpatched plugins. To stay protected, experts recommend enterprises focus on detecting and blocking skimming attacks.

Cyware Publisher