Hackers have injected malware in multiple extensions from FishPig, a vendor of Magento-WordPress integrations that count over 200,000 downloads.
Magento is a popular open-source eCommerce platform used for building electronic shops, supporting the sale of tens of billions USD worth of goods annually.
The intruders took control of FishPig’s server infrastructure and added malicious code to the vendor’s software to gain access to websites using the products, in what is described as a supply-chain attack.
Security researchers at Sansec, a company offering eCommerce malware and vulnerability detection services, have confirmed the compromise of ‘FishPig Magento Security Suite’ and ‘FishPig WordPress Multisite’.
They say that other paid extensions from the vendor are likely compromised, too. Free extensions hosted on GitHub appear to be clean, though.
The malware
Hackers injected malicious code into License.php, a file that validates licenses in premium FishPig plugins, which downloads a Linux binary (“lic.bin”) from FishPig’s servers (“license.fishpig.co.uk”).
The binary is Rekoobe, a remote access trojan (RAT) that has been seen in the past being dropped by the ‘Syslogk‘ Linux rootkit.
When launching from memory, Rekoobe loads its configuration, removes all malicious files, and assumes the name of a system service to make its discovery more difficult.
(Sancec)
Eventually, Rekoobe lies dormant and waits for commands from a Latvia-based command and control (C2) server that Sans researchers located at 46.183.217.2.
Sansec didn’t see any action taking place, suggesting that the threat actors behind the breach were likely planning to sell access to the compromised eCommerce stores.
Remediation actions
Merchants who have installed or updated premium FishPig software before August 19, 2022 should consider their stores compromised and take the following actions:
Disable all Fishpig extensions
Run a server-side malware scanner
Restart the server to terminate any unauthorized background processes
Add “127.0.0.1 license.fishpig.co.uk” to “/etc/hosts” to block outgoing connections
Responding to a request for comments from BleepingComputer, FishPig said that they are investigating the impact of the intrusion. The company has published a security advisory recommending an upgrade of all FishPig modules.
Additionally, a spokesperson of FishPig shared the following with BleepingComputer:
The best advice for people at the minute is to reinstall all FishPig modules. They do not need to update to the latest version (although they can), but just reinstalling the same version will ensure that they have clean code as any infected code has been removed from FishPig.
The infection was limited to a single file in our obfuscation code on our separate license.fishpig.co.uk and this has been removed and protection added against future attacks. FishPig.co.uk was not affected.
Sorry for any inconvenience people may have faced. This was an extremely clever and targeted attack and we will be more vigilant in the future.
