Attackers deploy Linux backdoor on e-stores compromised with software skimmer

Researchers discovered threat actors installing a Linux backdoor on compromised e-commerce servers after deploying a credit card skimmer into e-stores.

Security researchers from Sansec Threat Research Team discovered a Linux backdoor during an investigation into the compromised of an e-commerce server with a software skimmer.

The attackers initially conducted a reconnaissance phase by probing the e-store with automated eCommerce attack probes. After a day and a half, the threat actors found and exploited a file upload vulnerability in one of the e-store’s plugins to upload a webshell and inject a software skimmer.

The attackers also uploaded a Linux backdoor (linux_avp) written in Golang that disguises as a fake ps -off process. The analysis of the backdoor revealed that it was able to receive commands from a server hosted on Alibaba (47.113.202.35). The backdoor injects a malicious crontab entry to achieve persistence.

“At the time of writing, no other anti-virus vendor recognize this malware. Curiously, one individual had submitted the same malware to Virustotal on Oct 8th with the comment “test”.” reads the post published by Sansec Threat Research Team.

The backdoor was allegedly developed by user “dob” in a project folder “lin_avp”, the development team codenamed it GREECE.

The PHP-coded web skimmer, camouflaged as a .JPG image file (app/design/frontend/favicon_absolute_top[.]jpg), was dropped in the /app/design/frontend/ folder. The skimmer retrieves a fake payment form from the following address

https://103.233.11.28/jQuery_StXlFiisxCDN.php?hash=06d08a204bddfebe2858408a62c742e944824164

and inject it in the e-store.

At the time of this writing, the backdoor has a zero-detection rate on the anti-malware engines on VirusTotal a month after it was first uploaded on the platform.

“The person uploading the malware could very well be the malware author, who wanted to assert that common anti-virus engines will not detect their creation.” concludes the post. “Sansec has updated detection capabilities for our eComscan security monitor, and the malware was discovered on several US and EU based servers.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Linux Backdoor)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.