The 'linux_avp' threat is malware written in Golang, an open-source and cross-platform language that is becoming an increasingly popular choice among cybercriminals. In an attempt to add increased detection-avoidance to their threatening creations, hackers have been shifting away from using the more common programming languages.
'linux_avp' Malware is classified as a backdoor threat and it targets vulnerable Linux e-commerce servers. It should be noted that the 'linux_avp' Malware backdoor was deployed on servers already infected with a credit card skimmer tasked with collecting the credit and debit card information of customers trying to make purchases on the compromised websites.
The threat was discovered and analyzed by the Dutch cyber-security company Sansec. According to their findings, 'linux_avp' hides its icon immediately after being executed and then assumes the identity of the 'ps -ef' process. The process is then used to obtain a list of all processes running on the machine. Afterward, the threat will stay quiet awaiting order from the attackers. The Command-and-Control (C2, C&C) server of the operations appears to be a Beijing server that is hosted on Alibaba's network.
The backdoor also will establish a persistence mechanism via a new crontab entry on the system. It allows 'linux_avp' to redownload its payload from the C2 and reinstall itself in case it gets detected and removed or the server is restarted.