A new Linux backdoor known as linux_avp was discovered exploiting flaws in e-commerce sites all across the world. Experts believe it was receiving commands from a Beijing-based control server.
According to researchers, the attackers are using linux_avp and a credit card skimmer to steal payment information from the targeted websites by exploiting vulnerabilities in e-commerce portals.
An automated e-commerce attack was used by the attacker to discover dozens of flaws in online store platforms.
The attacker discovered a file upload vulnerability in one of the store’s plugins after scanning for one and a half days.
The attackers exploited this flaw to gain an initial foothold. Then they uploaded a malicious web shell and changed the server code in order to steal customer data.
They then released a linux_avp backdoor, which allowed attackers to remotely execute commands sent from a Beijing C2 server.
The malware is erased from the disk after execution and hidden as a fake process named “ps -ef,” which is a utility for displaying processes that are running currently in Unix or Unix-like operating systems.
Php-Coded Web Skimmer
A PHP-coded web skimmer was also discovered in the e-commerce platform’s code, according to the researchers. This skimmer masquerades as a favicon (favicon absolute top[.]jpg).
It’s used to inject malicious payment forms and steal credit card information inputs from customers in real time before it’s transmitted to a remote server.
The PHP code was previously used as an endpoint for skimming exfiltration in July and August on a Hong Kong-based server.
The latest linux_avp attacks demonstrate that fraudsters are actively looking for and exploiting flaws in online websites, particularly e-commerce platforms. Businesses who conduct online commerce should be aware of the risks of using unpatched plugins. Experts recommend businesses to focus on detecting and blocking skimming attacks in order to stay secure.