Security researchers from Sansec Threat Research Team discovered a Linux backdoor during an investigation into the compromised of an e-commerce server with a software skimmer.
The attackers initially conducted a reconnaissance phase by probing the e-store with automated eCommerce attack probes. After a day and a half, the threat actors found and exploited a file upload vulnerability in one of the e-store’s plugins to upload a webshell and inject a software skimmer.
The attackers also uploaded a Linux backdoor (linux_avp) written in Golang that disguises as a fake ps -off process. The analysis of the backdoor revealed that it was able to receive commands from a server hosted on Alibaba (47.113.202.35). The backdoor injects a malicious crontab entry to achieve persistence.
“At the time of writing, no other anti-virus vendor recognize this malware. Curiously, one individual had submitted the same malware to Virustotal on Oct 8th with the comment “test”.” reads the post published by Sansec Threat Research Team.
The backdoor was allegedly developed by user “dob” in a project folder “lin_avp”, the development team codenamed it GREECE.
The PHP-coded web skimmer, camouflaged as a .JPG image file (app/design/frontend/favicon_absolute_top[.]jpg), was dropped in the /app/design/frontend/ folder. The skimmer retrieves a fake payment form from the following address
https://103.233.11.28/jQuery_StXlFiisxCDN.php?hash=06d08a204bddfebe2858408a62c742e944824164
and inject it in the e-store.
At the time of this writing, the backdoor has a zero-detection rate on the anti-malware engines on VirusTotal a month after it was first uploaded on the platform.
“The person uploading the malware could very well be the malware author, who wanted to assert that common anti-virus engines will not detect their creation.” concludes the post. “Sansec has updated detection capabilities for our eComscan security monitor, and the malware was discovered on several US and EU based servers.”
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Linux Backdoor)
[adrotate banner=”5″]
[adrotate banner=”13″]