On exploited e-commerce servers, analysts uncovered a new Linux backdoor that hijacks and exfiltrates sensitive consumer data, including credit card numbers. 

The malware, called “linux avp”, is built in Golang language and was found by Sansec experts after being contacted by a retailer who couldn’t seem to get spyware out of his business.

According to researchers, the malware has been disseminated around the world over the last week and accepts directions from a control server in Beijing. The attackers use automated testing to scan e-commerce websites for lots of known flaws. It deploys a backdoor and downloads the “linux avp” server agent as soon as one is found.

BleepingComputer says that the “linux avp” agent injects bogus payment forms on checkout pages shown to users of the hacked stores, based on technical facts regarding the agent’s capabilities. Further investigation revealed that the PHP-based bogus payment form is intended to steal and exfiltrate consumers’ financial and personal data.

The IP address used to retrieve the false transaction page is located in Hong Kong, according to the investigators, and was previously identified as a skimming exfiltration destination in July and August of this year.

The malware was discovered on the many US and EU-based servers, according to Sansec, albeit no other antivirus provider detected it as of the last check.