• Chris Bratton - Tech Journalist

Golang eCommerce backdoor process discovered

Experts said the new eCommerce hitting backdoor is sourced from China. It runs a Golang program called 'linux_avp', making a backdoor that may reveal sensitive information. While many processes run in the background, this one hides and sends critical information to the creator port.

Sansec discovered the vulnerability once it's been reported as a (64 bits) 'test' process. It remained an imposter among other programs without notice for quite some time, which raised eyebrows among cybersecurity and research teams.

Ecommerce sites, as we know, hold various types of data, including payment information and other sensitive data. This vulnerability is dangerous not only for customers who may unintentionally lose money but also for eCommerce as data can be sold to competitors, making fake payments, etc. We were surprised and the security experts on how this kind of process gets into the system in the first place.

It is unusual to see several reports being sent before security teams found the 'linux_avp' backdoor. From Beijing, China, hackers have been commanding the malware since last week. The malware is powerful enough to send automated requests. It has proxy handling capability to disguise itself from the rest of the process without ticking any red alert to the firewall or security system. Security researchers at Sansec said: "After a day and a half, the attacker found a file upload vulnerability in one of the store's plugins. S/he then uploaded a web shell and modified the server code to intercept customer data."

The attacker started chain attacks to discover eCommerce server vulnerabilities worldwide, and even forensic teams failed to find the malware. After testing dozens of weaknesses in the system, Sansec discovered the vulnerability underlying many processes. One was questionable among many plugins used to keep the online store running; one was suspicious as it looked like an upload vulnerability. The malware used a web shell, modified the command's server code, and transmitted directly to the attacker. A single malware capable of doing all that and remaining undetected for weeks is hazardous if we think about operation scaling.

The malware was developed using Golang, a fast and efficient programing language to build software. Dozens of weaknesses have been tested by the attack probe in online stores before deploying the linux_avp malware. Researchers said: "analysis of linux_avp suggests that it serves as a backdoor, waiting for commands from a Beijing (Alibaba) hosted server."

It also has the power to start again after a server reboot according to the config files. IP of the server ran from with PostDecript spelling in the function. The backdoor also has getJob client function, MakeCryptoPostData, register_cli, DownloadFile, EncryptOAEP, GernerateKeyPair, map2json dump file, pubFrom64, PulicKeyToBytes, SetProcessName, wsock, and similar main functions.

We could see no trace of detection in VirusTotal before initial reports and security teams fining the issue, and later it was red-flagged. On 8th October, one individual commented 'test' on the malware just after it breached the eCommerce store, Sansec's client. It is thought that the person commenting was behind the malware and was trying to prove they can deploy malware that can avoid detection. Open challenges in cyberspace are not uncommon, but this kind of executed threat is quite dangerous, and we have no idea what more it can do with similar properties.

Sansec team was the first to document 2015's large scale skimming's, and since then, they have had thousands of clients who took their help for investigation. They are working on advanced anti-skimming technology for helping cybersecurity and forensic teams.

Golang is supported by Google, which makes the programing langue quite powerful and versatile. Another Chinese connection was found in the code on app/design/’frontend/favicon_absolute_top.jpg PHP code, which helps in fake payment retrieval and injection.