Weaknesses in e-commerce portals are being exploited to deploy a Linux backdoor in addition to a bank card skimmer that is able to stealing cost data from compromised web sites.
“The attacker began with automated e-commerce assault probes, testing for dozens of weaknesses in frequent on-line retailer platforms,” researchers from Sansec Risk Analysis said in an evaluation. “After a day and a half, the attacker discovered a file add vulnerability in one of many retailer’s plugins.” The identify of the affected vendor was not revealed.
The preliminary foothold was then leveraged to add a malicious internet shell and alter the server code to siphon buyer information. Moreover, the attacker delivered a Golang-based malware referred to as “linux_avp” that serves as a backdoor to execute instructions remotely despatched from a command-and-control server hosted in Beijing.
Upon execution, this system is designed to take away itself from the disk and camouflage as a “ps -ef” course of, which is a utility for displaying currently-running processes in Unix and Unix-like working methods.
The Dutch cybersecurity agency stated it additionally found a PHP-coded internet skimmer that is disguised as a favicon image (“favicon_absolute_top.jpg”) and added to the e-commerce platform’s code with the objective of injecting fraudulent cost varieties and stealing bank card data entered by prospects in real-time, earlier than transmitting them to a distant server.
Moreover, Sansec researchers stated the PHP code was hosted on a server positioned in Hong Kong and that it was beforehand used as a “skimming exfiltration endpoint in July and August of this yr.”