Just in time for the holidays, researchers late last week discovered a new malicious Linux agent — “linux_avp” — that hides as a system process on e-commerce servers. The malware, a malicious Golang program, serves as a backdoor and has been deployed around the world since last week, taking its commands from a control server in Beijing.
Researchers at Sansec explained that the attacker starts with automated e-commerce attack probes, testing for dozens of weaknesses in common online store platforms. After roughly 36 hours, the attacker finds a file upload vulnerability in one of the store’s plugins. They then upload a web shell and modify the server code to intercept customer data.
Sansec researchers said they learned of the attack through a merchant who had reached out to them after hiring two forensic companies, but still having malware on his store’s systems.
This "linux_avp" malware serves as another example on how all of our systems, especially those involved with e-commerce, are being scanned for vulnerabilities, said Garret Grajek, CEO of YouAttest. Grajek said this particular piece of malware gets inserted into systems and then behaves as an advanced persistent threat (APT) tool to communicate back to a control mechanism, conducting activities to ensure it does not become detected, such as hiding its process name.
“Enterprises must be proactive in watching out for the activities that malware will be conducting — such as navigating through our systems, looking for valuable resources, escalating privileges on the accounts, and communicating back to their command and control base stations,” Grajek said. “Tools that identify and trigger on identity privilege changes are key to help identify malicious attack mechanisms like this "linux_avp" malware.”
Casey Ellis, co-founder and CTO at Bugcrowd, said the malware takes advantage of the Achilles heel of e-commerce websites: File upload vulnerabilities. While it isn’t a new tactic to implant web shells on these types of systems, Ellis said the attackers have gone to some trouble to maintain persistence if the shell is discovered (the obfuscated crontab entry), as well as hiding their tracks (the benignly named data directories).
“Linux operators still often feel a little more bulletproof on the internet than Windows and Mac operators, and this is another demonstration that all code is flawed, and ultimately staying ahead of risk exposure through testing and updates is critical for anyone who operates an online business,” Ellis said.
Saryu Nayyar, CEO at Gurucul, said attackers are using this Linux malware to upload payloads that have the ability to steal user information for e-commerce sites.
“If an attack is possible, someone will find a way to exploit it and use it for their own benefit,” Nayyar said. “E-commerce sites seem to be especially targeted during the holiday season, so it’s incumbent on these sites to monitor and search out potential attacks. And users should be checking their payment accounts regularly to make sure that their information isn’t being used to make illicit purchases.”