The weaknesses of e-commerce portals are exploited to deploy a Linux backdoor as well as a credit card skimmer capable of stealing payment information from compromised websites.
“The attacker started with automated e-commerce attack probes, testing dozens of weaknesses in common online store platforms,” Sansec Threat Research researchers said. noted in an analysis. “After a day and a half, the attacker found a file download vulnerability in one of the plugins in the store.” The name of the affected supplier has not been disclosed.
The initial position was then exploited to download a malicious web shell and modify server code to siphon data from clients. Additionally, the attacker delivered Golang-based malware called “linux_avp“which serves as a backdoor to execute commands sent remotely from a command and control server hosted in Beijing.
When running, the program is designed to remove itself from the disk and camouflage itself as “ps -ef“, which is a utility for viewing running processes in Unix and Unix-like operating systems.
The Dutch cybersecurity company said it also discovered a PHP-coded web skimmer disguised as a favicon image (“favicon_absolute_top.jpg”) and added to the ecommerce platform code for the purpose of injecting payment forms fraudulent and steal the entered credit card information. by clients in real time, before transmitting them to a remote server.
Additionally, Sansec researchers said the PHP code was hosted on a server located in Hong Kong and was previously used as a “skimming exfiltration endpoint in July and August of this year.”