You are not logged in.

Announcement

Welcome to Darknet City forum. One of the most relibable and trusted forum since 2017.

Please read our rulles before place any orders.

Telegram : https://t.me/darknetCity8

Jabber :  Darknetcity@njs.netlab.cz

                                                            mysign                                                         

Since 2017.

mysign

#1 2021-11-24 14:03:59

Spoiler24
Support
From: Singapore
Registered: 2018-03-17
Posts: 537
Deposit: $0

New Golang-based Linux Malware Targeting eCommerce Websites

Weaknesses in e-commerce portals are being exploited to deploy a Linux backdoor as well as a credit card skimmer that's capable of stealing payment information from compromised websites.

"The attacker started with automated e-commerce attack probes, testing for dozens of weaknesses in common online store platforms," researchers from Sansec Threat Research said in an analysis. "After a day and a half, the attacker found a file upload vulnerability in one of the store's plugins." The name of the affected vendor was not revealed.

The initial foothold was then leveraged to upload a malicious web shell and alter the server code to siphon customer data. Additionally, the attacker delivered a Golang-based malware called "linux_avp" that serves as a backdoor to execute commands remotely sent from a command-and-control server hosted in Beijing.

Upon execution, the program is designed to remove itself from the disk and camouflage as a "ps -ef" process, which is a utility for displaying currently-running processes in Unix and Unix-like operating systems.

The Dutch cybersecurity firm said it also discovered a PHP-coded web skimmer that's disguised as a favicon image ("favicon_absolute_top.jpg") and added to the e-commerce platform's code with the goal of injecting fraudulent payment forms and stealing credit card information entered by customers in real-time, before transmitting them to a remote server.

Furthermore, Sansec researchers said the PHP code was hosted on a server located in Hong Kong and that it was previously used as a "skimming exfiltration endpoint in July and August of this year."

Offline

Registered users online in this topic: 0, guests: 1

Board footer