Linux Malware and Web Skimmer Deployed on E-commerce Servers

It seems that malicious actors are now installing a Linux backdoor on hacked e-commerce infrastructure., that works by having a PHP-coded web skimmer inserted and disguised as a.JPG picture file, in the /app/design/frontend/ folder.

The attackers employ this script to download and insert phony payment forms into the checkout pages that the compromised online business displays to clients.

We found that the attacker started with automated eCommerce attack probes, testing for dozens of weaknesses in common online store platforms. After a day and a half, the attacker found a file upload vulnerability in one of the store’s plugins. S/he then uploaded a webshell and modified the server code to intercept customer data.

Interestingly, the attacker also uploaded a Linux executable called linux_avp. This Golang program starts, removes itself from disk, and disguises as a fake ps -ef process.


The Golang-based malware, which was discovered on the same site by cyber-security firm Sansec, was downloaded and run as a linux avp executable on infiltrated servers.

This effectively downloads the Golang malware executable to a random writable directory, and installs two configuration files. One contains a public key, which is presumably used to ensure that no-one but the malware owner can

Read More: