The launch of Linus_avp before Black Friday is most threatening to many of the e-commerce websites. According to tech experts, no antivirus solution can recognize this malware. So the researchers warn and advise to use Linux carefully. According to recent research, attackers are also injecting Linux backdoors onto online shops’ servers after installing credit card skimmers.
The Sansec group recently announced the discovery of a new malicious agent called linux_avp that can hide on eCommerce servers by appearing as one of the system processes. The group also revealed that the malware has been distributed since the last week. An Alibaba server in Beijing is sending commands to the malware agent.
A Sansec representative reported that automated eCommerce probes were used in the attack. The probes aim to identify weaknesses in the e-commerce platform. The vulnerability allowed attackers to upload and edit files. An attacker therefore could manipulate the server code to intercept customer data by uploading a web shell.
What is Linux_avp?
A Golang program named Linux-avp is also uploaded. It has the ability to remove itself from the disc and masquerade as a false “ps -ef” process. According to Sansec’s findings, Linux avp acts as a backdoor, waiting for commands from an Alibaba-hosted server in Beijing. Backdoor code was injected in lin_avp using the codename “GREECE” by user “dob”. It also injected a crontab entry that granted access even if the processes were removed or the server reboots.
According to Sansec, no other anti-virus companies are now aware of the problem. On October 8, an unidentified user, who could be the author, posted the malware to Virus total. Sansec improved its eComscan security monitor’s detection capabilities and discovered the malware on many servers in the United States and Europe.
Can you explain what has happened?
To steal payment information from the targeted websites, the attackers are using linux_avp, along with a credit card skimmer, to exploit weaknesses in e-commerce portals.
- The attacker used an automated e-commerce attack to discover dozens of weaknesses in online store platforms.
- They took the advantage of this flaw to build an early foothold. Next, a malicious web shell is uploaded. It changed the server code to steal the customer information.
- The very next step is the attackers delivering a linux_avp backdoor, which allowed them to execute commands remotely from a C2 server in Beijing.
Once executed, the malware is removed from the disk and hidden as a fake process called “ps -ef,” which is a utility that shows processes that are currently running in a Unix-like environment.
Moreover, the researchers found a PHP web skimmer embedded in the platform’s code.
- A skimmer called favicon_absolute_top [.]jpg masquerades as a favicon image.
- Fraudulent payment forms are injected and credit card information is stolen in real-time before being sent to a remote server.
- A server in Hong Kong was hosting the PHP code that was previously used for skimming exfiltration in July and August.
The recent linux_avp attacks demonstrate that cybercriminals are trying to find and exploit weaknesses in online websites, including e-commerce platforms. Unpatched plugins are a risk for businesses doing online commerce. Experts recommend enterprises focus on detecting and blocking skimming attacks to stay protected.