New Golang-based Linux Malware Targeting eCommerce Websites

News

Weaknesses in e-commerce portals are being exploited to deploy a Linux backdoor as well as a credit card skimmer that’s capable of stealing payment information from compromised websites.

“The attacker started with automated e-commerce attack probes, testing for dozens of weaknesses in common online store platforms,” researchers from Sansec Threat Research said in an analysis. “After a day and a half, the attacker found a file upload vulnerability in one of the store’s plugins.” The name of the affected vendor was not revealed.

Automatic GitHub Backups

The initial foothold was then leveraged to upload a malicious web shell and alter the server code to siphon customer data. Additionally, the attacker delivered a Golang-based malware called “linux_avp” that serves as a backdoor to execute commands remotely sent from a command-and-control server hosted in Beijing.

Golang-based Linux Malware

Upon execution, the program is designed to remove itself from the disk and camouflage as a “ps -ef” process, which is a utility for displaying currently-running processes in Unix and Unix-like operating systems.

Prevent Data Breaches

The Dutch cybersecurity firm said it also discovered a PHP-coded web skimmer that’s disguised as a favicon image (“favicon_absolute_top.jpg”) and added to the e-commerce platform’s code with the goal of injecting fraudulent payment forms and stealing credit card information entered by customers in real-time, before transmitting them to a remote server.

Furthermore, Sansec researchers said the PHP code was hosted on a server located in Hong Kong and that it was previously used as a “skimming exfiltration endpoint in July and August of this year.”

Products You May Like

Articles You May Like

US Launches Cyber Trust Mark for IoT Devices
Slovakia Hit by Historic Cyber-Attack on Land Registry
Hands-On Walkthrough: Microsegmentation For all Users, Workloads and Devices by Elisity
Japan Faces Prolonged Cyber-Attacks Linked to China’s MirrorFace
Cybercriminals Use Fake CrowdStrike Job Offers to Distribute Cryptominer

Leave a Reply

Your email address will not be published. Required fields are marked *