Hacker skim sensitive information from e-commerce website by deploying malware dubbed as linux_avp which is written in golang. Analysis of linux_avp suggests that it serves as backdoor, waiting for commands from a Alibaba hosted server 220.127.116.11. The linux_avp malware also injects a malicious crontab entry, to ensure access in case that the process is removed or the server rebooted. Once launched, it immediately removes itself from the disk and camouflages itself as a "ps -ef" process that would be used to get a list of currently-running processes.
linux_avp Backdoor Signatures
linux_avp Backdoor Download