Cybersecurity (opens in new tab) researchers have discovered a new Linux (opens in new tab) backdoor on compromised ecommerce servers (opens in new tab) that intercepts and exfiltrates sensitive customer information, including credit card details.
The malicious agent, dubbed linux_avp is written in Golang, and was discovered by researchers at Sansec, who were approached by an affected merchant who couldn’t seem to get rid of malware (opens in new tab) from his store.
“It [linux_avp] is being deployed around the world since last week and takes commands from a control server in Beijing,” note the researchers (opens in new tab) in their analysis of the malware.
The discovery of the malware across ecommerce stores (opens in new tab) all around the world comes mere days before the Black Friday (opens in new tab) shopping extravaganza.
Flying under the radar
According to the researchers, the attackers first run automated tests to probe ecommerce websites (opens in new tab) against dozens of known vulnerabilities. As soon as one is found, it installs a backdoor and uploads the linux_avp server agent.
Digesting the technical details about the agent’s functions, BleepingComputer (opens in new tab) reports that the linux_avp agent injects fake payment forms on checkout pages displayed to customers of the compromised stores. Further analysis reveals that the fake payment form written in PHP is designed to steal and exfiltrate customers' payment and personal information.
The researchers note that the IP address used to fetch the fake payment page, is hosted in Hong Kong and has previously been observed as a skimming exfiltration endpoint in July and August of this year.
Sansec notes that it found the malware on several US and EU-based servers, though last checked, no other antivirus (opens in new tab) vendor recognized this malware.
Protect your network with one of these best firewall apps and services (opens in new tab), and shield your computers against all kinds of cyber-attacks with these best endpoint protection tools (opens in new tab)