'linux_avp' Malware Used to Plant Web Skimmers

foudre malware

The 'linux_avp' Malware is a very specific malicious implant that has been discovered on e-commerce servers. The primary goal of the malicious threat is to modify the contents of specific e-commerce files in order to execute an online skimming attack. Instead of modifying the original payment form, the criminals are creating fake checkout pages and payout forms that harvest user credentials. Of course, in order to plant the 'linux_avp' Malware, the criminals first need to penetrate the defenses of the server they are targeting. There is not enough information to determine the exact infection vector they use, but they are likely to rely on either phishing, vulnerabilities in outdated software, or poorly secured login credentials.

The implant used to manipulate the contents of forms and pages seems to be written in the Go programming language, which has become very popular among malware developers. The criminals seem to always use the name 'linux_avp' for their implant. Allegedly, they are controlling it through remote commands that appear to originate from a China-based server belonging to the Alibaba network. However, this does not confirm that the perpetrators are from China – they might just be renting the server.

Last but not least, the malicious file gains persistence by setting up new cron jobs on Linux systems. Online shop administrators need to secure their systems from such attacks by utilizing credibly security products, and ensuring that they are using secure login credentials. Last but not least, they should also apply the latest security updates and patches regularly.

By Ruik
November 19, 2021
November 19, 2021