Security researchers from the Sansec Threat Research Team discovered a Linux backdoor.On October 8th, the same malware was submitted to Virustotal with the comment test. As of this writing, no other anti-virus vendor identifies this malware. This was only one day after our customer’s store had been successfully breached.

The person who uploaded the malware could be the malware author, who wanted to claim that common anti-virus engines would not detect their creation.

The attackers began with a discovery process in which they enquired the e-store with automated eCommerce attack probes. After about a day and a half, the threat actors discovered and exploited a file upload vulnerability in one of the e-plugins, store’s allowing them to upload a webshell and inject a software skimmer.

The attackers also uploaded a Golang-written Linux backdoor (linux avp) that tries to present as a false ps -off process. The backdoor was discovered to be capable of receiving commands from a server hosted on Alibaba (47.113.202.35). To achieve persistence, the backdoor injects a malicious crontab entry.

Sansec tweeted as a post,

We found a New Goiang malware agent “linux_avp”.

  • targets eCommerce sites hidden as “ps-ef” process
  • uses PKI
  • Alibaba hosted control server
  • complied by user “dob”

The backdoor was allegedly created by user “dob” in the project folder “lin avp,” and it was codenamed GREECE by the development team.

The PHP-coded web skimmer was hidden in the /app/design/frontend/ folder as a.JPG image file (app/design/frontend/favicon absolute top[.]jpg). The skimmer obtains a bogus payment form from the address listed below.



https://103.233.11.28/jQuery_StXlFiisxCDN.php?hash=06d08a204bddfebe2858408a62c742e944824164

 Finally Sansec concluded that “The person uploading the malware could very well be the malware author, claiming that common anti-virus engines will not detect their creation.Sansec has updated detection capabilities for our eComscan security monitor, and the malware was discovered on several servers in the United States and the European Union”.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Published by shamili0508

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s