AL2021_48 New Golang-based Linux Malware Targeting Ecommerce Websites (26th November 2021)

E-commerce portal flaws are being manipulated to install a Linux backdoor as well as a credit card skimmer competent in stealing payment details from compromised websites.

Summary

In an assessment, Sansec Threat Research analysts noted, "The threat actor began with automated e-commerce attack probes, scanning for dozens of vulnerabilities in key online shop systems." "After about a day and a half, the threat actor detected a file upload vulnerability in one of the store's plugins." The merchant that was affected remained anonymous.

How it works

After the file upload vulnerability was discovered the threat actor then uploaded a malicious web shell and changed the server code to steal customer data. In addition, the threat actor delivered "linux_avp," a Golang-based malware that acts as a backdoor to execute commands remotely sent from a command-and-control server hosted in Beijing.

During execution, the program is intended to remove itself from the disk and disguise itself as a "ps -ef" process, which is a utility similar to the Task manager in Windows OS used for displaying currently running processes in Unix and Unix- like operating systems.

According to the Dutch cybersecurity firm, it also discovered a PHP-coded web skimmer disguised as a favicon image ("favicon_absolute_top.jpg") and added it to the e-commerce platform's code to administer bogus payment forms and pilfer credit card information entered by customers in real-time before transmitting it to a remote server.

Furthermore, Sansec researchers stated that the PHP code was hosted on a Hong Kong server and had previously been used as a "skimming exfiltration endpoint in July and August of this year."

Remediation

At this moment there is no fixed patch to remedy this malware, it is recommended that system administrators establish a defence in depth mechanism to counter this malware by implementing the following:

  • Keep your computer and software updated- Updates and patches are to help prevent your device from being susceptible to malicious attacks.

  • Use a non-administrator account whenever possible- Administrator accounts have full privilege to install and make any changes on a device.

  • Think twice before clicking links or downloading anything- Suspicious links are known for trying to install malware to unsuspecting users’ PCs. Ensure that the link is legitimate before opening or downloading

  • Be careful about opening email attachments or images- Only open emails from addresses that you recognize. Malicious actors usually try to trick you into downloading viruses through email.

  • Don’t trust pop-up windows that ask you to download software - In some cases viruses and malware hides behind pop-up windows.

  • Limit your file sharing- Know who have access to the file sharing you have created

  • Use antivirus software – Antivirus software helps to mitigate or eliminate malware.

  • Implement firewall installation – Firewall prevents unwanted packets from entering or leaving a network, providing its configured properly based on the network design.

    The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
    PDF Download:
    New Golang-based Linux Malware Targeting Ecommerce Websites.pdf

References

          https://www.jioforme.com/new-golang-based-linux-malware-targeting-e- commerce-websites/942070/