FishPig, a UK-based company developing extensions for the popular Magento open-source e-commerce platform, has announced that its paid software offerings have been injected with malware after its distribution server was compromised.
How the attackers compromised the FishPig extensions
Sansec researchers said that the FishPig distribution server was compromised on or before August 19th. “Any Magento store who installed or updated paid Fishpig software since then, is now likely running the Rekoobe malware,” they noted.
FishPig said that the compromise might have happened at any time after August 6. They did not say how the attackers managed to break into the the server – they might not be sure yet, in any case – but they do know that the attackers managed to inject malicious PHP code into the Helper/License.php file, which is included in most FishPig extensions.
Ben Tideswell, the lead developer at FishPig, told Ars Technica that the attackers took advantage of its custom system that encrypts the extensions’s code before being made available for download, thus hiding its existence from both users and malware scanners.
The injected malicious code installs the Rekoobe remote access trojan that, upon being launched, removes all malware files and runs in memory, Sansec researchers explained. Then it hides as a system process and waits for commands from a control server in Latvia.
The only good news related to this Magento supply chain attack is that there’s no evidence that the compromised installations have been taken advantage of.
“We expect that access to the affected stores may be sold in bulk on hacking forums,” Sansec threat researchers noted, and said that they have yet to detect follow-up abuse via the C2 server.
The number of affected installations is unknown.
FishPig is urging users to assume that all paid FishPig Magento 2 modules have been infected, and is advising them to upgrade all FishPig modules or reinstall existing versions from source.
They also provided a command to remove the Rekoobe backdoor from their system, and a testing tool to check FishPig files for infection. “We are currently offering a free clean up service for anyone who is worried that this is affecting their site and needs help to resolve it,” they added.
Sansec advises affected merchants to temporarily disable any paid FishPig extension, run a server-side malware scanner to detect the installed malware and, finally, to restart the server to terminate unauthorized background processes.