Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Attackers deploy Linux backdoor on e-stores compromised with software skimmer

Researchers discovered threat actors installing a Linux backdoor on compromised e-commerce servers after deploying a credit card skimmer into e-stores. Security researchers from Sansec Threat Research Team discovered a Linux backdoor during an investigation into the compromised of an e-commerce server with a software skimmer. The attackers initially conducted a reconnaissance phase by probing the […]

Researchers discovered threat actors installing a Linux backdoor on compromised e-commerce servers after deploying a credit card skimmer into e-stores.

Security researchers from Sansec Threat Research Team discovered a Linux backdoor during an investigation into the compromised of an e-commerce server with a software skimmer.

The attackers initially conducted a reconnaissance phase by probing the e-store with automated eCommerce attack probes. After a day and a half, the threat actors found and exploited a file upload vulnerability in one of the e-store’s plugins to upload a webshell and inject a software skimmer.

The attackers also uploaded a Linux backdoor (linux_avp) written in Golang that disguises as a fake ps -off process. The analysis of the backdoor revealed that it was able to receive commands from a server hosted on Alibaba (47.113.202.35). The backdoor injects a malicious crontab entry to achieve persistence.

“At the time of writing, no other anti-virus vendor recognize this malware. Curiously, one individual had submitted the same malware to Virustotal on Oct 8th with the comment “test”.” reads the post published by Sansec Threat Research Team.


The backdoor was allegedly developed by user “dob” in a project folder “lin_avp”, the development team codenamed it GREECE.

The PHP-coded web skimmer, camouflaged as a .JPG image file (app/design/frontend/favicon_absolute_top[.]jpg), was dropped in the /app/design/frontend/ folder. The skimmer retrieves a fake payment form from the following address

https://103.233.11.28/jQuery_StXlFiisxCDN.php?hash=06d08a204bddfebe2858408a62c742e944824164

and inject it in the e-store.

At the time of this writing, the backdoor has a zero-detection rate on the anti-malware engines on VirusTotal a month after it was first uploaded on the platform.

“The person uploading the malware could very well be the malware author, who wanted to assert that common anti-virus engines will not detect their creation.” concludes the post. “Sansec has updated detection capabilities for our eComscan security monitor, and the malware was discovered on several US and EU based servers.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Linux Backdoor)

[adrotate banner=”5″]

[adrotate banner=”13″]