Researchers discovered a new web skimmer in the wild found to be targeting online stores. The Linux malware is deployed on ecommerce servers to steal users’ payment information.
Linux Malware Targeting Ecommerce Platforms
The cybersecurity firm Sansec has recently shared insights about a new Linux malware targeting ecommerce services.
As elaborated in their post, the researchers found this malware while inspecting a site upon the merchant’s request to detect the sneaky malware. They eventually caught a Golang-based web skimmer running on the servers.
The threat actors behind this campaign precisely exploited a vulnerable plugin running on the online store’s site.
We found that the attacker started with automated eCommerce attack probes, testing for dozens of weaknesses in common online store platforms. After a day and a half, the attacker found a file upload vulnerability in one of the store’s plugins. S/he then uploaded a webshell and modified the server code to intercept customer data.
Consequently, the attackers also deployed a sneaky executable
linux_avp that disguises as fake
ps -ef process. This executable serves as a backdoor on the target servers to receive commands from the attackers. This backdoor also injects malicious crontab entry to achieve persistence to resist server reboots.
The malware uploads the file to add fake payment forms.
A file was added to the eCommerce platform code called
app/design/frontend/favicon_absolute_top.jpg, which contains PHP code to retrieve a fake payment form and inject it in the store.
Analyzing the malware server and IP hints that the origin server is from China.
Malware Currently Evades Detection
The researchers found this web skimmer active recently. However, the malware has managed to stay under the radar. Hence, the majority of antimalware solutions presently do not detect this malware.
Online store merchants should remain careful about the security of their websites. Perhaps, thorough website audits and scans might help to detect such threats quickly.